Winamp Logo
Digital Forensic Survival Podcast Cover
Digital Forensic Survival Podcast Profile

Digital Forensic Survival Podcast

English, Technology, 1 season, 452 episodes, 6 days, 1 hour, 46 minutes
About
Listen to talk about computer forensic analysis, techniques, methodology, tool reviews and more.
Episode Artwork

DFSP # 453 Windows Startup Locations

In today’s episode, we’ll focus on startup folders, which are perhaps the easiest to triage among all persistence mechanisms. But before diving in, let’s recap the journey so far to underscore the importance of a comprehensive approach rather than a one-off tactic. Each triage area we've covered plays a crucial role in identifying and stopping attacks...
10/22/202418 minutes, 19 seconds
Episode Artwork

DFSP # 452 AI and DFIR

In 2024, AI has not only revolutionized how we defend against cyber threats but also how those threats are being carried out. We'll explore how AI is enabling faster, more efficient security incident responses, with real-world examples of its application in automated threat detection and response, advanced forensics, and more. But with every technological leap forward, there's a dark side and attackers are harnessing AI to orchestrate sophisticated attacks...
10/15/202422 minutes, 2 seconds
Episode Artwork

DFSP # 451 SQL Triage

SQL injection poses significant risks by enabling attackers to access sensitive metadata, execute dynamic SQL commands, and alter system parameters. These actions can lead to unauthorized data access and system disruptions, especially if attackers gain elevated privileges. This week I'm talking about SQL attack patterns from a triage point of view to help you detect such activity when doing log analysis...
10/8/202426 minutes, 26 seconds
Episode Artwork

DFSP # 450 Secure coding and DFIR

I decided to talk this week about the Importance of Secure Coding Knowledge for Security Incident Response Investigations. Knowing secure coding principles helps identify the root causes of vulnerabilities and recognize attack patterns. It facilitates effective communication and collaboration with developers, ensuring accurate incident reports and actionable recommendations. Secure coding knowledge enhances forensic analysis by aiding in code reviews and log analysis to detect anomalies. It also allows responders to suggest mitigation strategies and improve the security posture of applications. Ultimately, this knowledge leads...
10/1/202419 minutes, 34 seconds
Episode Artwork

DFSP # 449 Zero-Day or Hero-Day

This week, we're covering zero-day vulnerability response from a Digital Forensics and Incident Response professional's perspective. In our roles, we often get involved in various tasks that require a security mindset, and one critical task is responding to zero-day vulnerabilities. To provide a real-world context, we'll integrate the recently disclosed zero-day exploit "Copy2Pwn" (CVE-2024-38213) and discuss the specific forensic artifacts and methods used to achieve the objectives of a DFIR response.
9/24/202433 minutes, 43 seconds
Episode Artwork

DFSP # 448 WebShell Forensics

Welcome to this week’s session, where we’ll delve into web shell forensics—an ever-critical topic in incident response investigations and threat-hunting strategies. Today, I’ll provide a breakdown that includes the latest developments, detailed triage techniques, and practical examples of what to look for during your investigations:
9/17/202420 minutes, 14 seconds
Episode Artwork

DFSP # 447 Linux Root Kits

Rootkits are hard to detect because they employ advanced stealth techniques to hide their presence. They can conceal processes, files, and network activities by altering system calls and kernel data structures. The deep system knowledge and specialized tools required for low-level analysis make rootkit detection complex and resource-intensive. Limited visibility of standard security tools further complicates the identification of rootkits. However, This week I'm going to talk about how to identify root kits on a Linux systems using only the command line.  
9/10/202432 minutes, 39 seconds
Episode Artwork

DFSP # 446 Registry by EVTX

In previous episodes, we covered techniques for examining the Windows Registry, a critical component in identifying persistence mechanisms. We'll explore the registry but shift our focus to registry modification events as reported by Windows event logs
9/3/202420 minutes, 2 seconds
Episode Artwork

DFSP # 445 Bash Triage

Bash history's forensic value lies in its ability to answer diverse investigative questions, making it a cornerstone artifact for Linux systems. It aids in triaging lateral movement, identifying reconnaissance activities, and detecting attempts at establishing persistence. This underscores the importance of structuring triage tasks around specific investigative questions, facilitating focused analysis amidst potentially extensive Bash history records...
8/27/202427 minutes, 26 seconds
Episode Artwork

DFSP # 444 A little assistance

The UserAssist key is a Windows Registry artifact that logs details about user activity, such as recently accessed programs and files. It encodes information on the frequency and last access time of items launched via Windows Explorer. This helps investigators understand user behavior and timeline of actions on a system, providing evidence of program execution and file access...
8/20/202428 minutes, 41 seconds
Episode Artwork

DFSP # 443 - Standard Actions

Every incident response outfit should have a set of guidelines for their team which outlines the standard actions or common considerations for security investigations. In this episode, I highlight some of the key points for security teams with a special focus on initial actions which typically set the tone for success during the subsequent investigation.
8/13/202438 minutes, 48 seconds
Episode Artwork

DFSP # 442 - Database Response

Understanding the different types of databases is important for security incident response investigations, as databases are often targeted by attackers seeking sensitive information. Each database type—relational, NoSQL, in-memory, and cloud-based—has unique structures, query languages, and security mechanisms. Familiarity with these variations enables investigators to effectively... 
8/6/202431 minutes, 10 seconds
Episode Artwork

DFSP # 441 - CIS Benchmarks

CIS (Center for Internet Security) Benchmarks provide a comprehensive set of best practices for securing IT systems and data, which are vital for security response investigations. These benchmarks, developed through a consensus-driven process by cybersecurity experts, offer detailed guidelines for configuring operating systems, applications, and network devices to enhance their security posture. In the context of security response investigations, adhering to CIS Benchmarks helps ensure that systems are resilient against common threats and vulnerabilities. By implementing these benchmarks, organizations can better detect, respond to, and recover from security incidents, thereby minimizing potential damage and improving overall cybersecurity hygiene.
7/30/202426 minutes, 14 seconds
Episode Artwork

DFSP # 440 - ABCs of BECs

Business Email Compromise (BEC) forensics involves the meticulous investigation of cyberattacks where attackers infiltrate email systems to manipulate business communications for financial gain. These attacks often entail phishing, social engineering, and credential theft to impersonate trusted entities within or outside an organization. Forensic analysis of BEC incidents focuses on tracing the attacker's entry point, examining email headers, metadata, and logs to uncover the methods used for unauthorized access. It also involves identifying compromised accounts, understanding the scope of the attack, and preserving evidence for legal proceedings. Effective BEC forensics is crucial for mitigating financial losses, strengthening cybersecurity defenses, and preventing future incidents.
7/23/202424 minutes, 44 seconds
Episode Artwork

DFSP # 439 - Remoting Windows

Remote Desktop Protocol (RDP) is a crucial artifact in digital forensics due to its extensive use for remote system access. Analyzing RDP activities can uncover vital information about unauthorized access, insider threats, and attacker lateral movement within a network. Forensic examination of RDP logs enables investigators to trace an attacker's steps, identify compromised accounts, and assess the breach's extent. For instance, RDP forensics can detect brute force attacks on login credentials, track the use of stolen credentials, and monitor suspicious reconnection attempts to previously established sessions.
7/16/202423 minutes, 48 seconds
Episode Artwork

DFSP # 438 - Old Nix

This week, I will be discussing the Linux operating system from a DFIR perspective. It is highly recommended for every examiner to become proficient in Linux, especially with the increasing prevalence of cloud-based infrastructures in enterprise environments. As these platforms become the norm, you can expect to encounter Linux systems frequently during your investigations.
7/9/202432 minutes, 1 second
Episode Artwork

DFSP # 437 - Windows Autoruns

In Windows forensics, understanding the intricacies of autorun functionalities and the Windows Registry is essential for effective incident response and investigation. Autorun mechanisms, which allow programs to execute automatically when the system starts or specific actions are performed, can be exploited by malicious actors to persist on a system. The Windows Registry, a hierarchical database that stores low-level settings for the operating system and applications, plays a crucial role in tracking these autorun entries. Forensic analysis of the Windows Registry can reveal information about auto-starting applications, system configurations, and user activities, providing insights into potential security breaches and unauthorized changes.
7/2/202424 minutes, 54 seconds
Episode Artwork

DFSP # 436 - Ja-Who?

The JOHARI methodology simply provides a structure for something that you're probably already doing. However, with the structure comes a standard, which is the benefit to any security team. The team should be speaking the same language, especially in fast moving, dynamic situations. Going into a situation and asking for the "known – knowns” and “Blindspots" should register with every team member without any question about their definitions...
6/25/202422 minutes, 58 seconds
Episode Artwork

DFSP # 435 - Good Ol’ Powershell

Threat actors often exploit PowerShell in cyber attacks due to its capabilities and integration with Windows operating systems. Microsoft has cited powershell as one of the most commonly used tools in the attack chain. It also comes up in phishing campaigns and other attacks that include infecting URL links. The challenge lies in the fact that it is a commonly used administration tool. As an analyst, you can expect to have lots of powershell scripts and commands come up during your investigations. Your job is to be able to differentiate between the good and bad. Fortunately, this episode is going to give you some tips and tricks on how to do exactly that...
6/18/202429 minutes, 24 seconds
Episode Artwork

DFSP # 434 - The Reg

The Windows registry is a hierarchical database that stores configuration settings and options on Microsoft Windows operating systems. It contains settings for low-level operating system components as well as for applications running on the platform. In order to make use of any of this information, you must understand the registry from a DFIR point of view, and that's exactly what I'm doing in this episode...
6/11/202420 minutes, 53 seconds
Episode Artwork

DFSP # 433 - SU DOs and DONTS

On a Linux or Mac system, there can be user accounts that have the ability of privilege escalation. Knowing how to triage, for this has a twofold benefit: (1) you obviously want to know which account may elevate to route privileges. If you're doing account triage, these are the ones you should prioritize. The other benefit (2) is to identify any account that can escalate. This fact alone ...
6/4/202420 minutes, 59 seconds
Episode Artwork

DFSP # 432 - Control Bits

TCP control bits are part of the TCP header and are used to manage the connection between two devices. These control bits are single-bit flags that indicate various aspects of the TCP connection and are important for understanding and analyzing network traffic...
5/28/202424 minutes, 8 seconds
Episode Artwork

DFSP # 431 - Finding Needles

The time it takes from an initial escalation to the initial discovery of compromise is a key metric. Teams strive to do this as quickly as possible, but there are a number of challenges. You do not know what you're going to be handed, but you're pretty much guaranteed It's going to be a unique set of circumstances that require some type of customized or mostly customized response. So how do you accomplish this? Most analyst rely on a set of tried and true various techniques that can be used at scale. This week I'm going to cover a few of them, each being a critical technique you should be familiar with for forensic investigations...
5/21/202422 minutes, 59 seconds
Episode Artwork

DFSP # 430 - Targeting Tasks

Windows Scheduled Tasks are often used by attackers to establish persistence. As an analyst, you want to be aware of the different windows event codes that record these details. These artifacts come up in just about every windows compromise assessment, consider them core triage skills. There are several events, all of which I will go over in this episode. I will break them down from a DFIR point of view and give you the triage methodology...
5/14/202418 minutes, 20 seconds
Episode Artwork

DFSP # 429 - Career Moves

This week I talk about career moves for the DFIR professional. The skill set is valuable, but it must be combined with the right additional technical skills to maximize future job opportunities. Of course, there is one skill set that stands out above the rest...
5/7/202422 minutes, 12 seconds
Episode Artwork

DFSP # 428 - It’s all about that XML

When you're triaging a Windows system for evidence of compromise, it's ideal if your plan is focused on some quick wins upfront. There are certain artifacts that offer this opportunity, and Windows Events for New Scheduled Tasks are one of them. Sometimes overlooked, at least in part, because the good stuff contained within the XML portion of the log. This week I'm covering the artifact from a DFIR point of view, I'll go over all the elements of the log entry that are of interest for investigations, and I'll provide a triage methodology that you can employ to find evidence quickly.
4/30/202427 minutes, 32 seconds
Episode Artwork

DFSP # 427 - MOF Balls

Windows management instrumentation, also known as WMI, is an App on Windows that allows a user to query all sorts of things about a system. Being native to Windows, it is an attractive target for a attackers to leverage. This week I'll break down the artifact from a DFIR point of a few and talk about how to detect its misuse.
4/23/202431 minutes, 47 seconds
Episode Artwork

DFSP # 426 - SSH Forensics: Log Analysis

This week I'm wrapping up my series on SSH forensics with a discussion on SSH log triage. Logs are usually what an analyst will start with, so this episode is important. There are a few different log types, and there is a pitfall with one of them, which is something you must be aware of to avoid making inaccurate conclusions. I'll provide the artifact breakdown, triage methodology, and more.
4/16/202422 minutes, 4 seconds
Episode Artwork

DFSP # 425 - SSH Forensics: Host-Based Artifacts

In the last episode on this topic, I covered SSH from a investigation point of view. I explained SSH and the artifacts that typically come up when your investigating. In this episode, we're getting into the triage methodology. This includes the artifacts targeted for a fast, but yet effective triage for notable SSH activity on a given host.
4/9/202430 minutes, 54 seconds
Episode Artwork

DFSP # 424 - SSH Forensics: Understanding Secure Shell

SSH is a protocol used to secure remote access to systems, making it a cornerstone in safeguarding sensitive information and ensuring secure communications. In this podcast, we will delve into the basics of SSH, its key concepts and other useful elements important for context when investigating for notable SSH activity.
4/2/202423 minutes, 12 seconds
Episode Artwork

DFSP # 423 - Guiding Lights: Cyber Investigations Investigation Lifecycle

This week I'm discussing a fundamental aspect of cybersecurity: incident response preparation. Effective incident response is paramount, and preparation is the key to success. This preparation includes comprehensive documentation, training, having the right tools and resources in place, and developing incident response plans and playbooks. It also involves ensuring clear communication protocols and conducting regular training and testing.  I'll explore preparation from the perspective of the investigation life cycle, where success is the reward for preparation. Join me as I uncover the importance of preparation in incident response and how it lays the foundation for success in investigations.
3/26/202430 minutes, 51 seconds
Episode Artwork

DFSP # 422 - EVTX Express: Cracking into Windows Logs Like a Pro

Today I'm talking Windows forensics, focusing on Windows event logs. These logs are very valuable for fast triage, often readily available in your organization's SIEM. But have you ever wondered about the processes enabling this quick access? Not only are the logs automatically collected and fed into the appliance, but they are also formatted and normalized for easy data searchability. This is crucial, as the logs are originally in a complex format challenging to natively interpret. Now, picture a scenario where event logs are inaccessible through a security appliance—enter this week's topic: EVTX analysis options. Don't be caught unprepared.
3/19/202421 minutes, 7 seconds
Episode Artwork

DFSP # 421 - Memory Lane: Fileless Linux Attacks Unraveled

In this podcast episode, we talk about Linux's `memfd` – a virtual file system allowing the creation of anonymous memory areas for shared memory or temporary data storage. Threat actors exploit `memfd` for fileless malware attacks, as its memory areas exist only in RAM, evading traditional file-based detection methods. Join me as I `memfd` as a forensic artifact, its implications in DFIR, and strategies for detecting its abuse.
3/12/202425 minutes, 42 seconds
Episode Artwork

DFSP # 420 - Failing, Stopping and Crashing

This week we explore into the world of Windows service event codes and their role in forensic investigations. Windows services are background processes crucial for system functionality, running independently of user interaction- making them ideal. Target were exploitation. Join me to explore the intricate details of Windows services and their significance in digital forensics.
3/5/202422 minutes, 30 seconds
Episode Artwork

DFSP # 419 - What the Flux

This week, we're delving into the realm of fast flux, a cunning technique employed by attackers to cloak their true, malicious domains. Its effectiveness is the reason behind its widespread use, making it crucial for analysts to grasp its nuances and avoid chasing elusive ghosts during investigations. Stay tuned as I unravel the intricacies of fast flux, providing insights into what it entails and offering valuable tips on how to effectively detect it. All this and more coming your way!
2/27/202427 minutes, 49 seconds
Episode Artwork

DFSP # 418 - Core Insights: Navigating MFT in Forensics

In this week's exploration, I'm delving into the intricate realm of the Master File Table (MFT), a pivotal forensic artifact in Windows investigations. The MFT provides a valuable gateway to decode evidence across various scenarios. Join me in this episode as we unravel the forensic basics, explore diverse use cases, and discover a range of tools that empower you to unlock the full potential of this invaluable artifact.
2/20/202422 minutes, 10 seconds
Episode Artwork

DFSP # 417 - Unlocking Linux Secrets

This week I delve into the intriguing domain of Linux malware triage. The Linux platform presents forensic analysts with a unique opportunity to excel in performing malware triage effortlessly. The beauty of it lies in the fact that you don't require any specialized tools; all you need is a solid grasp of a few commands and the ability to decipher their output. With these skills in your arsenal, any analyst can swiftly and efficiently navigate through the process of malware triage. Stay tuned for more insights on this in the upcoming discussion!
2/13/202432 minutes, 20 seconds
Episode Artwork

DFSP # 416 - Persistence Mechanisms on Windows

This week I’m going to talk about New Service Installation details recorded in Windows event logs. These have a number of advantages for your triage methodology and I will have all the details coming up. 
2/6/202425 minutes, 56 seconds
Episode Artwork

DFSP # 415 - Dealing with Third-Party Incidents

Organizations leverage third-party services more and more for business advantages. For the security professional, this means the organizational data you're charged with protecting is under the control of a third-party in some way shape or form. In this episode, I cover third-party risk landscape for security professionals with a special focus on identifying scope and responsibility.
1/30/202420 minutes, 32 seconds
Episode Artwork

DFSP # 414 - CRON Forensics

Cron become important and Linux forensics when you’re talking about persistence. Think scheduled tasks if you want a Windows equivalent. The artifact is not that difficult to analyze once you understand the elements to focus on and it is typically readily available. It’s something that you can check out a live system, gather with a collection script, and more and more security appliances are designed to access the artifact as well. I’ll...
1/23/202414 minutes, 18 seconds
Episode Artwork

DFSP # 413 - Ransomware Initial Response

Ransomware cases can be particularly challenging, especially during the initial response. They tend to be fast-paced and require the responder to simultaneously prioritize a number of tasks. Each of these tasks can have critical impact upon the outcome of the response and subsequent investigation. In this episode I am going to cover some immediate response actions. The goal here is to provide a framework that will allow responders to get off on the right foot…
1/16/202416 minutes, 55 seconds
Episode Artwork

DFSP # 412 - Conhost Forensics

Conhost, or the Console Application Host, often comes up during investigations. Understanding what it is, the evidence may contain and how to extract that information becomes important...
1/9/202419 minutes, 2 seconds
Episode Artwork

DFSP # 411 - NTLM Credential Validation

This week I'm talking about detecting evidence of lateral movement on Window systems using NTLM credential validation events. Much like the episode I did on Kerberos, NTLM events offer the same advantage of being concentrated on domain controllers, which allows you, as the analyst, leverage a great resource for user account analysis. I will have the background, artifact breakdown, and triage strategy coming up right after this…..
1/2/202418 minutes, 9 seconds
Episode Artwork

DFSP # 410 - Linux Temp Directories

Temporary directories play a significant role in computer forensic investigations as they can potentially contain valuable digital evidence. When conducting a computer forensic investigation, these temporary directories can provide insights into user activities, application usage, and potentially malicious behavior...
12/26/202315 minutes, 38 seconds
Episode Artwork

DFSP # 409 - Regsvcs and Regasm Abuse

This week I’m talking about Regsvcs /Regasm exploitation, which is a Windows tactic attackers use to evade defense mechanisms and execute code. Specifically, this technique can be used to bypass process whitelisting and digital certificate validation. I'll break down some interpretation methods that may be used to identify such exploitation....
12/19/202311 minutes, 14 seconds
Episode Artwork

DFSP # 408 - Nesting

This week I’m talking about Nested Groups and the risk they pose for security. Built-in to the functionality of Active Directory is the ability to attach a group to another group. While this has advantages for account administration across an organization, it also offers attackers opportunity if certain precautions are not taken. This week I’ll break down Nested Groups in DFIR terms, talk about how attackers take advantage of it and what analysts need to know for investigations.
12/12/202313 minutes, 22 seconds
Episode Artwork

DFSP # 407 - More About Lateral Movement and Kerberos

This week it's more about lateral movement and kerberos events.
12/5/202319 minutes, 21 seconds
Episode Artwork

DFSP # 406 - All the BIN Directories

In a typical Linux "bin" directory, you can find various types of executable files and scripts that are used to perform different tasks. The confusing part is that there are a number of different BIN directories throughout the file system. What is the purpose and difference between these BIN directories? What do you need to know about them for forensic investigations? The answers to those questions and more are coming up...
11/28/202314 minutes, 49 seconds
Episode Artwork

DFSP # 405 - Werfault Attacks

Werfault is in interesting artifact in that there is not a lot of documentation on it but yet it may affect an investigation in different ways.  Its appearance in logs sometimes adds a bit of confusion to an investigation because it could mean different things. Add to that a layer of apparent obscurity as to exactly how to interpret the information makes it even more difficult for newer examiners. I took on the question...
11/21/202314 minutes, 39 seconds
Episode Artwork

DFSP # 404 - Certutil Attacks

Certutil, a powerful command-line utility, possesses the potential for misuse by malicious actors to establish illicit network connections. Therefore, it is crucial to familiarize oneself with its legitimate applications and recognize common indicators of misuse. In this episode, we will delve into the utility of Certutil and identify effective methods to promptly detect and address potential abuses. Stay tuned as we explore these topics in depth...
11/14/202312 minutes, 19 seconds
Episode Artwork

DFSP # 403 - Lateral Movement Kerberos Auth Events

This week I'm going to cover an important Windows event that provides valuable information about authentication attempts and potential security breaches. The event may be used to identify compromised accounts, identify brute, force, attacks, or password spraying attacks. It may also be used to detect attack or probing activities. The artifact breakdown and triage methodology is coming up….
11/7/202315 minutes, 40 seconds
Episode Artwork

DFSP # 402 - Linux Root Directory Files for DFIR

In Linux and Unix-based operating systems, the "root" account is the superuser or administrator account with the highest level of privileges. It has complete control over the system and can perform any action, including modifying system files, installing software, and managing user accounts. The root account is sometimes referred to as the "root user" or simply “root"....
10/31/202318 minutes, 26 seconds
Episode Artwork

DFSP # 401 - INF Fetch Execute

This week we are taking a bit of a deep dive into an advanced attack technique to accomplish remote execution called “fetch and execute.” While there are different methods to accomplish the sort of thing what I am going to be focusing on is exploitation using a common Windows executable and installation file. Think of this as one of the touted “living off the land” attack techniques. It has value for compromise assessment methods as well as for threat hunting strategies...
10/24/202315 minutes, 40 seconds
Episode Artwork

DFSP # 400 - CMSTP

This week I am going to focus on a specific remote execution technique that you may see in the wild. Remote execution is important for incident response investigations but also for file use and knowledge investigations, particularly those that conducted due diligence exams for evidence of malware. I have covered remote execution in the past from different angles and I have done so because it is one of the red flags that an analyst should be looking for. In order to be effective in recognizing either an actual malicious execution or the risk of an attempted remote execution you must be reversed in the clever ways attackers attempt to compromise a host using Microsoft applications. The highlight this week will be CMSTP.exe abuse...
10/17/202314 minutes, 16 seconds
Episode Artwork

DFSP # 399 - Lateral Movement Failed Logon Events

Finding and analyzing failed logons sometimes is just as important as finding suspicious, actual logon activity. Like anything, context is important. Old logon records offer an opportunity to identify not only suspicious activity, but perhaps attempted activity by an attacker. A standard move in the attack chain is to compromise an account and use it to move within the breached environment. However, it doesn't always work as planned for the attacker, and you may find failed activity a valid signal for identifying, malicious actions. This episode, I'm going to take a look at failed logon events from an investigation point of you.
10/10/202313 minutes, 4 seconds
Episode Artwork

DFSP # 398 - OODA & JOHARI

This week I will discuss the use of the OODA loop and JOHARI window in security incident response investigations. These two frameworks are designed to help organizations quickly and effectively respond to security incidents, and can be used in combination to enhance incident response capabilities....
10/3/202316 minutes, 6 seconds
Episode Artwork

DFSP # 397 - Linux Home Directory Files for DFIR

This week I'm talking about the linux file system from the point of view of a forensic analyst. In general, it's a good idea to have a solid working knowledge of the linux file system so you understand what directories hold what artifacts… Or if you're looking for a specific category of artifact, you at least have an idea of where you may find it. I will cover the home directory this week and breakdown the typical forensic artifacts you find there……
9/26/202320 minutes, 49 seconds
Episode Artwork

DFSP # 396 - URL Leak

This week I will talk about investigating data spill cases involving exposed URLs. This is a typical privacy investigation many incident response teams handle and I thought it would be useful to go over some standard guidelines for handling such cases. To be effective with these investigations you need to know how to determine liability and responsibility, a little Google foo, and a number of odds and ends concerning mitigation, containment and remediation strategies....
9/19/202318 minutes, 47 seconds
Episode Artwork

DFSP # 395 - Lateral Movement and Admin Logons

This week is on lateral movement detection techniques. Inspecting Domain Admin account logons is a key component to lateral movement triage. Admin accounts are sought after by attackers for their elevated privileges. Evidence is often left behind both on the targeted system and on the domain controller. Both these factors provide protection opportunity through Windows event log analysis. I’ll break down the method....
9/12/202318 minutes, 38 seconds
Episode Artwork

DFSP # 394 - Functional Documentation

This week I want to talk about the value of having functional documentation for your organization, or, at least for your team. Functional documentation means you have thoughtful and up-to-date incident run books, and play books that provide utility and usefulness for a responder. Without such documentation, you are always in danger of some dangerous pitfalls, some of which I'll discuss. This episode I cover what functional documentation is, it's investigative value for an organization, how to get started...
9/5/202315 minutes, 49 seconds
Episode Artwork

DFSP # 393 - Linux Subsystems for Windows

The linux subsystem for windows, create both opportunity and challenges for forensic analysts. It makes Windows an excellent platform for multi platform forensic analysis tasks, allowing it to take it vantage of the many many Linux tools available. The challenges are foreseeable, you have Linux artifacts, now commingled on a Windows platform, which makes forensic analysis that much more difficult when examining such a system as evidence. This week I'm going to break down the linux subsystems for forensic investigators…
8/29/202324 minutes, 38 seconds
Episode Artwork

DFSP # 392 - Simulation Training

This week I'm going to talk about tabletop exercises as part of a security training program. I feel that there is too much focus on technical skill training and not enough focus on actual incident management training in the industry. There are plenty of highly skilled professionals that can do DFIR work… However, a roadblock, many organizations and practitioners encounter is in the struggle of how to actually implement their knowledge and skills for a security incident response investigation within a specific organization. They may know what to do, but there are many challenges in identifying actually how to do it when the time comes. I will share my thoughts on how to improve your security program through simulation training…
8/22/202320 minutes, 52 seconds
Episode Artwork

DFSP # 391 - Investigation Lifecycle

This week I'm talking about The NIST (National Institute of Standards and Technology) investigation lifecycle. The NIST investigation lifecycle encompasses a series of well-defined steps, starting from problem identification and scoping, through data collection and analysis, to the formulation of conclusions and recommendations. This comprehensive framework ensures that investigations conducted by NIST are rigorous, unbiased, and provide reliable results that can be used to inform decision-making, improve practices, and promote innovation across a wide range of disciplines. More about it...
8/15/202326 minutes, 26 seconds
Episode Artwork

DFSP # 390 - SSH Triage

This week I'm talking about linux forensic triage strategy. In particular, I'm covering SSH. SSH traffic comes up in many different types of investigations. For that reason, it is a common and standard artifact every examiner should be familiar with. I will provide you the artifact background and the triage strategy…..
8/8/202317 minutes, 26 seconds
Episode Artwork

DFSP # 389 - $Usnrl

The USN Journal, also known as the Update Sequence Number Journal, is a feature of the Windows operating system that serves as a record of changes made to files and directories on a disk volume. It provides valuable information and insights into file system activities, which can aid investigators in reconstructing events, understanding system behavior, and uncovering evidence. This week I break down the artifact from a DFIR point of view provide triage strategy.....
8/1/202315 minutes, 16 seconds
Episode Artwork

DFSP # 388 - Web 3.0 Talk with SUMURI

This week Jason Roslewicz from SUMURI returns for some web 3.0 and virtual reality talk.
7/25/202338 minutes
Episode Artwork

DFSP # 387 - Network Share Modifications

This week I talk about adding, modifying, and removing network shares through the lens of detecting lateral movement.
7/18/202320 minutes, 25 seconds
Episode Artwork

DFSP # 386- The Three Task Hosts

This week I break down the three Windows task hosts from a DFIR point of view.
7/11/202312 minutes, 7 seconds
Episode Artwork

DFSP # 385 - Network Share Access

This week I talk about network share access events and lateral movement detection.
7/4/202319 minutes, 6 seconds
Episode Artwork

DFSP # 384 - Cloud Talk with SUMURI

This week Jason Roslewicz from SUMURI returns for some cloud talk.
6/27/20231 hour, 16 minutes, 22 seconds
Episode Artwork

DFSP # 383 - WMI Exploitation

This week I talk about the exploitation of the Windows Management Instrumentation application.
6/20/202320 minutes, 23 seconds
Episode Artwork

DFSP # 382 - Protocol Buffers

This week Chris Currier and I talk about mobile forensics and protocol buffers.
6/13/202340 minutes, 30 seconds
Episode Artwork

DFSP # 381 - Spoliation

This week I cover Windows events commonly associated with data spoliation and insider threats.
6/6/202316 minutes, 2 seconds
Episode Artwork

DFSP # 380 - Ransomware Talk with SUMURI

This week Jason Roslewicz from SUMURI returns for some ransomware talk.
5/30/202358 minutes, 27 seconds
Episode Artwork

DFSP # 379 - New Process Creation

This week I Cover my all-time favorite Windows event, security event 4688: new process creation. If you do windows, incident, response, forensics, this is a must-know know artifact.
5/23/202318 minutes, 10 seconds
Episode Artwork

DFSP # 378 - SVCHOST Revisited

This week I talk about SVCHOST; how it fits into the Windows operating system, and how to think about it from a DFIR point of view.
5/16/202318 minutes, 5 seconds
Episode Artwork

DFSP # 377 - Interview with Yugal Pathak

This week I talk with Interview with Yugal Pathak about organizational forensic readiness.
5/9/202339 minutes, 49 seconds
Episode Artwork

DFSP # 376 - Zero-Day and DFIR

This week I talk about the role and typical responsibilities DFIR professionals may be called up to take to assist with a zero-day response.
5/2/202325 minutes, 15 seconds
Episode Artwork

DFSP # 375 - More AI with SUMURI

This week Jason Roslewicz from SUMURI returns to talk more about AI issues.
4/25/202330 minutes
Episode Artwork

DFSP # 374 - SRUM

This week I break down the Windows System Resource Usage Monitor from a DFIR point of view.
4/18/202315 minutes, 8 seconds
Episode Artwork

DFSP # 373 - Linux File Poisoning

This week I cover some malware detection methods for Linux.
4/11/202319 minutes, 38 seconds
Episode Artwork

DFSP # 372 - Windows Processes

This week I talk about different ways to approach windows process triage. There are so many processes, especially in enterprise environments, having a standard approach that is fast and effective is key for security incident response.
4/4/202325 minutes, 46 seconds
Episode Artwork

DFSP # 371 - AI with SUMURI

This week Jason Roslewicz from SUMURI shares his insights about the impact of artificial intelligence and provides advice for navigating through changing times. 
3/28/202326 minutes, 17 seconds
Episode Artwork

DFSP # 370 - UserAssist

This week is a Windows artifact breakdown on a common source of evidence.
3/21/202318 minutes, 31 seconds
Episode Artwork

DFSP # 369 - Linux Malware

This week I cover malware on Linux file systems for new examiners.
3/14/202317 minutes
Episode Artwork

DFSP # 368 - SVCHOST

This week is a guide to understanding SVCHOST from a DFIR point of view. It is one of the most abused Windows processes, and having a firm working knowledge for investigations is essential.
3/7/202315 minutes
Episode Artwork

DFSP # 367 - Shimcache Amcache

This week is a Windows artifact breakdown on a common source of evidence.
2/28/202315 minutes, 3 seconds
Episode Artwork

DFSP # 366 - Linux File System

This week I cover the Linux file system for new examiners.
2/21/202315 minutes, 41 seconds
Episode Artwork

DFSP # 365 - CVSS Triage

This week I breakdown the elements within a standard CVSS report for fast triage application.
2/14/202316 minutes, 8 seconds
Episode Artwork

DFSP # 364 - Network Triage

This week I talk about how to triage Windows events for network connection activity.
2/7/202314 minutes, 37 seconds
Episode Artwork

DFSP # 363 - RDP Forensics

This week I talk about how to approach investigations involving remote desktop connections.
1/31/202317 minutes, 39 seconds
Episode Artwork

DFSP # 362 - Windows Core Processes

This week I talk about Windows core processes from a DFIR point of view.
1/24/202319 minutes, 18 seconds
Episode Artwork

DFSP # 361 - Powershell Breakdown

This week I talk about Powershell attack IOCs.
1/17/202315 minutes, 53 seconds
Episode Artwork

DFSP # 360 - Permitted Events

This week I talk about how to triage Windows events for network connection activity.
1/10/202313 minutes, 11 seconds
Episode Artwork

DFSP # 359 - Career Checkpoint

This week is my annual career assessment review - or, my guidelines of how to evaluate your past performance and your future goals.
1/3/202315 minutes, 25 seconds
Episode Artwork

DFSP # 358 - Listening Ports

This week I talk about how to triage Windows events for network listening activity.
12/27/202216 minutes, 39 seconds
Episode Artwork

DFSP # 357 - EVTX Analysis

This week I talk about an approach for reviewing Windows event logs.
12/20/202215 minutes, 28 seconds
Episode Artwork

DFSP # 356 - CMD Triage

This week I talk about an approach for reviewing CMD syntax for findings.
12/13/202214 minutes, 25 seconds
Episode Artwork

DFSP # 355 - Network Triage

This week I talk about essential network basics necessary for triage.
12/6/202214 minutes, 51 seconds
Episode Artwork

DFSP # 354 - Fast Triage

This week I talk about Webshell forensics.
11/29/202216 minutes, 59 seconds
Episode Artwork

DFSP # 353 - Webshells

This week I talk about Webshell forensics.
11/22/202215 minutes, 59 seconds
Episode Artwork

DFSP # 352 - Startup Locations

This week I talk about Windows startup locations.
11/15/202210 minutes, 32 seconds
Episode Artwork

DFSP # 351 - Prefetch

This week I talk about Windows Prefetch forensics.
11/8/202215 minutes, 14 seconds
Episode Artwork

DFSP # 350 - Linux Fileless Attacks

This week I talk about fileless attacks Linux systems.
11/1/202216 minutes, 6 seconds
Episode Artwork

DFSP # 349 - Registry Modification Events

This week I talk about how to find evidence of malicious autoruns in the windows registry using Windows event codes.
10/25/202220 minutes, 1 second
Episode Artwork

DFSP # 348 - Root Cause

This week I talk about strategies to determine root cause early during an investigation.
10/18/202212 minutes, 32 seconds
Episode Artwork

DFSP # 347 - Weblogs

This week is a breakdown of HTTP log forensic triage.
10/11/202224 minutes, 50 seconds
Episode Artwork

DFSP # 346 - Masquerading

This week I talk about finding evidence of Kernel file masquerading on Linux systems.
10/4/202215 minutes, 17 seconds
Episode Artwork

DFSP # 345 - AutoRuns

This week I talk about how to find evidence of malicious autoruns in the windows registry.
9/27/202218 minutes, 53 seconds
Episode Artwork

DFSP # 344 - Mac Spotlight DB

This week I talk about the forensic value of the Apple Spotlight DB.
9/20/202218 minutes, 23 seconds
Episode Artwork

DFSP # 343 - Registry aka The Dungeon Maze

When you talk autoruns you must talk about the Windows registry. This artifact is very dense and it may be difficult to zero in on the elements that are important for compromise assessment. Given that, I am going to begin the series with a breakdown of the Windows Registry from a DFIR point of view. This is crucial in understanding ...
9/13/202211 minutes, 32 seconds
Episode Artwork

DFSP # 342 - FLUX It

This week I talk about the attack methodology known as Fast Flux.
9/6/202214 minutes, 8 seconds
Episode Artwork

DFSP # 341 - Those other taskers

This week’s focus is on other scheduled task events useful for DFIR triage.
8/30/202214 minutes, 42 seconds
Episode Artwork

DFSP # 340 - PSEXEC, ready or not

This week I talk about a popular Windows utility attackers often exploit.
8/23/202217 minutes, 6 seconds
Episode Artwork

DFSP # 339 - That SUDO that you do

This week I breakdown the SUDOERS file for forensic triage.
8/16/202215 minutes, 14 seconds
Episode Artwork

DFSP # 338 - Taskers

This week’s focus is on new scheduled tasks, which are a common way of establishing longevity on system. I will have my breakdown of the artifact and how to interpret it for fast analysis coming up….
8/9/202220 minutes, 13 seconds
Episode Artwork

DFSP # 337 - ResponderCon

The must-attend event for Cyber First Responders who must detect and deal with ransomware, zero-day events, and more!
8/2/202218 minutes, 54 seconds
Episode Artwork

DFSP # 336 - BAM!

This week I talk about the Windows Background Activity Monitor, an artifact that may be used to find evidence of execution.
7/26/202212 minutes, 12 seconds
Episode Artwork

DFSP # 335 - CRON

This week I breakdown CRON for the uninitiated.
7/19/202213 minutes, 2 seconds
Episode Artwork

DFSP # 334 - Service Changes

This week is about persistence artifacts. Namely the records for when services fail to start, are either started or stopped, have crashed have had their start type changed. Since services are one of the common ways attackers achieve persistence, understanding how these events may be used for triage purposes is very important...
7/12/202221 minutes, 32 seconds
Episode Artwork

DFSP # 333 - Mac Autoruns

This week I talk Mac autoruns.
7/5/202220 minutes
Episode Artwork

DFSP # 332 - Bash Histories

This week is about bash history forensics.
6/28/202218 minutes, 31 seconds
Episode Artwork

DFSP # 331 - New Services

In the past I’ve talked about fast triage from a high-level, addressing the different artifacts and some interesting elements in each of those artifacts. I decided to start going a bit deeper and focus on one or a few artifacts at a time and really talk about the important details they may record for your investigation and how to interpret that information quickly. I’m going to start with the New Service Installation details recorded in Windows event logs. These have a number of advantages for your triage methodology and I will have all the details coming up.
6/21/202216 minutes, 4 seconds
Episode Artwork

DFSP # 330 - Certifications

Every so often I like to revisit certifications. Everyone seems to have their own opinion as to the value of one certification over another, whether or not certifications should carry as much weight as they do, or preference of certain certifications over others, and so on. In this episode I’m sharing my thoughts on the topic as well as how I would approach certifications if I were new in the field but also retained everything I have learned over the years about the impact certifications have or can have on your career.
6/14/202216 minutes, 24 seconds
Episode Artwork

DFSP # 329 - Shellbags

This week is a back to basics episode where I cover Windows shell bags. This is a core Windows artifact that gets included in pretty much  every file use and knowledge investigation. Any investigation where you’re looking to tie a specific account to directory access activity. Like most Windows artifacts you must know how user interaction affects the artifact in order to properly interpreted as evidence and you must also be aware of any caveats or pitfalls that may affect your evidence. Spoiler alert, there is a huge one associated with Windows shell bags that I’ll cover at the end of the episode-it’s nothing new but if you’re unfamiliar with it you definitely need to know about it.
6/7/202216 minutes, 54 seconds
Episode Artwork

DFSP # 328 - Linux Executables

If you are accustomed to Windows forensics you may find you have to shift your way of thinking about executables when you are dealing with a Linux system. Unlike Windows, in Linux there is no fixed file extension to designate an executable. Everything on a Linux system of the file and any file can be executable, so where do you even begin? In this episode I am going to address how to approach Linux executables to help those newer to Linux exams deal with the nuances.
5/31/202215 minutes, 35 seconds
Episode Artwork

DFSP # 327 - Persistence Part 1

One of the first things attackers attempt to accomplish on a compromised system is to establish persistence. Unless you are dealing with a denial of service attack, most other attacker goals are centered on maintaining the degree of control over a compromise system in order to use system resources for things like cryptomining or to maintain a foothold to further an attack strategy. This week I am going to talk about a fast triage methodology for persistence, which is one of the first triage strategies I normally recommend for a compromise assessment. Because I am focusing on a fast triage methodology I am going to focus on the artifacts most examiners will have readily at hand and how to make the most of them during the initial pass.
5/24/202214 minutes, 12 seconds
Episode Artwork

DFSP # 326 - MFT

This week I’m covering the Master file table as a core forensic artifact for Windows investigations. This artifact has value is both a primary and secondary artifact and offers opportunity to decode evidence in a number of different situations. In this episode I’m covering the forensic basics, some use cases and tools you can use to bring the value of the artifact to its full potential.
5/17/202214 minutes, 14 seconds
Episode Artwork

DFSP # 325 - Malware Triage Part 2

This week of talking malware fast triage. These are the techniques that are short of malware reverse engineering and allow analysts to identify malware and also get a sense of what it is does. This is a necessary skill set for all DFIR professionals as you typically deal with malware and you need a way to do some basic forensics on it for context to advance your investigation. This is going to be a two-part episode where I first go over the foundational information you need to have four common malware triage tasks and the second part will go over specific methods, tools, and indicators for different types of artifacts.
5/10/202220 minutes, 28 seconds
Episode Artwork

DFSP # 324 - Malware Triage Part 1

This week of talking malware fast triage. These are the techniques that are short of malware reverse engineering and allow analysts to identify malware and also get a sense of what it is does. This is a necessary skill set for all DFIR professionals as you typically deal with malware and you need a way to do some basic forensics on it for context to advance your investigation. This is going to be a two-part episode where I first go over the foundational information you need to have four common malware triage tasks and the second part will go over specific methods, tools, and indicators for different types of artifacts.
5/3/202216 minutes, 9 seconds
Episode Artwork

DFSP # 323 - SRUM

This week I’m talking about SRUM, a Windows artifact that you don’t hear that much about. It has a lot of great potential as evidence and it is something worth the time to check it out and see how it fits into your daily DFIR work.
4/26/202213 minutes, 11 seconds
Episode Artwork

DFSP # 322 - Live evidence integrity

This week is some thoughts on live evidence integrity. Years ago evidence validation was fairly standard with few exceptions. Nowadays it’s more of a challenge when considering live evidence collections either on scene, remotely or even in lab environments where physical level access to your evidence is becoming more the exception. It is something that needs to be part of your collection process as it may impact the reliability of your results. 
4/19/202217 minutes, 30 seconds
Episode Artwork

DFSP # 321 - URL Leaks

This week I will talk about investigating data spill cases involving exposed URLs. This is a typical privacy investigation many incident response teams handle and I thought it would be useful to go over some standard guidelines for handling such cases. To be effective with these investigations you need to know how to determine liability and responsibility, a little Google foo, and a number of odds and ends concerning mitigation, containment and remediation strategies depending on what you are dealing with.
4/12/202216 minutes, 30 seconds
Episode Artwork

DFSP # 320 - Lateral MM and Event Logs

This week I’m going to cover detecting lateral movement using Windows event logs. This is not the Windows fast triage method I covered in previous episodes. This is more in-depth and focuses on specific attack tools and strategies seen in actual cases. Going into this level of detail is beyond the scope of a typical episode, however there is some research that has very granular details on the tools and methods you can use. I’ll have that coming up right after this.
4/5/202213 minutes, 11 seconds
Episode Artwork

DFSP # 319 - Shellbags

This week is a back to basics episode where I am going to cover Windows shellbags. This is a core Windows artifact that gets included in pretty much most every file use and knowledge investigation or any investigation where you’re looking to tie a specific account to directory access activity. Like most Windows artifacts you must know how user interaction affects the artifact in order to properly interpreted it as evidence. You must also be aware of any caveats or pitfalls that may affect your evidence. Spoiler alert, there is a huge one associated with Windows shellbags that I’ll cover at the end of the episode-it’s nothing new but if you’re unfamiliar with it you definitely need to know about it.
3/29/202215 minutes, 7 seconds
Episode Artwork

DFSP # 318 - Rust and Chainsaw

This week I am talking about a program language called rust and the advantages it has for DFIR analyst. I’m also covering Chainsaw, a toolset that you can use for Windows event log analysis.
3/22/202215 minutes, 38 seconds
Episode Artwork

DFSP # 317 - UserAssist

This week it’s back to basics with a Windows artifact for tracking program execution. I’m covering the user assist key which is a mainstay for both live triage and dead box forensics. This artifact is useful for profiling system usage, identifying malware, and general file use and knowledge applications. There are some caveats you need to be aware of and in this episode I’m covering  five different experiments to document the effects that different types of user activity had on the artifact. If you want to better understand this artifact and how to work with it stay tuned.
3/15/202217 minutes, 36 seconds
Episode Artwork

DFSP # 316 - Cloud Traffic Security

This week I am covering how different common protocols are secured in the cloud. Part of your effectiveness as a security analyst is your knowledge and understanding of how environments work in a typical scenario. I know that all environments are different but there is some foundational knowledge that you can learn that will be useful no matter what environment you’re working. My goal with this episode is to provide you with a better understanding of how insecure protocols are handled in cloud environments.
3/8/202212 minutes, 55 seconds
Episode Artwork

DFSP # 315 - ARTHIR

This we can talk about Arthir, an open source platform for windows incident response and threat hunting.
3/1/202212 minutes, 35 seconds
Episode Artwork

DFSP # 314 - Future of Cyber Security

This week Max Lamothe-Brassard talks about the future of cyber security.
2/22/202244 minutes, 16 seconds
Episode Artwork

DFSP # 313 - Shimcache and Amcache

This week is a back to basic episode featuring Shimcache and Amcache. Learn what they are, why they are important to many investigations and the pitfalls to avoid.
2/15/202218 minutes, 28 seconds
Episode Artwork

DFSP # 312 - Cloud Network Security Services

This week is about Cloud Network Security Services.
2/8/202215 minutes, 56 seconds
Episode Artwork

DFSP # 311 - Data Spoliation Fast Triage

This week we continue with the Windows fast triage series and talk about data spoliation detection.
2/1/202213 minutes, 8 seconds
Episode Artwork

DFSP # 310 - Cloud Network Segmentation

This week is about cloud network segmentation. Network segmentation has security advantages, and that’s regardless of whether or not security is the intention. There are some big differences between traditional on-prem network segmentation and cloud infrastructure segmentation. As a DFIR practitioner, knowing the difference is vital for your incident response preparedness. This week I will break it down from a DFIR point of view and provide some necessary insight that will help you better structure your investigations involving cloud assets.
1/25/202213 minutes, 11 seconds
Episode Artwork

DFSP # 309 - Insider Threats

This week I cover insider threat, which is sort of a gray area between traditional investigations and DFIR investigations. 
1/18/202221 minutes, 42 seconds
Episode Artwork

DFSP # 308 - Cloud Access Controls

This week I’m talking about identity access controls commonly encountered in cloud environments. These come up during DFIR investigations and high-level awareness, at the least, is necessary for analysts in order to be effective during investigations. These are the things that may be part of root cause, part of the attack escalation, or part of mitigation will remediation. This week all cover the basics to help with your incident response preparedness.
1/11/202216 minutes, 45 seconds
Episode Artwork

DFSP # 307 - Career Strategy Checkup

This week is my advice for conducting a career critique as well as to plan for the future - or at least for 2022. I do this episode every year at this time with the intention of helping newer analysts maximize their efforts to achieve the desired career goals in both the short term and long term.
1/4/202230 minutes, 21 seconds
Episode Artwork

DFSP # 306 - Lateral MM Fast Triage 5

This week we continue with the Windows fast triage series and talk about lateral movement evidence that may be found in DC records.
12/28/202111 minutes, 21 seconds
Episode Artwork

DFSP # 305 - CSA Cloud Threats 8

This week is a continuation of the threats to cloud computing miniseries. We are stepping through the top 11 threats to cloud computing as identified by the Cloud Security alliance. When you are protecting cloud assets or investigating breaches of cloud assets, there is a lot to keep in mind. You must remember the standard security infrastructure, the new cloud infrastructure as well as any changes to the standard infrastructure that could be affected for your investigation. The top 11 threats to cloud computing help identify where you, as an analyst, should prioritize your time both as a starting point and how you use your limited time for continuing education.
12/21/202110 minutes, 13 seconds
Episode Artwork

DFSP # 304 - Detecting File Poisoning on Linux

This week I review a great method to detect file poisoning on Linux using all native commands.
12/14/202114 minutes, 28 seconds
Episode Artwork

DFSP # 303 - Mac Artifacts with SUMURI

This week SUMURI's Steve Whalen (a.k.a. 'MacBoy') talks Mac artifacts
12/7/202135 minutes, 45 seconds
Episode Artwork

DFSP # 302 - Lateral MM Fast Triage 4

This week we continue with the Windows fast triage series and talk about lateral movement evidence that may be found in logon event records.
11/30/202115 minutes, 46 seconds
Episode Artwork

DFSP # 301 - OSDFCON 2021

This week Brian Carrier of Basis Technology joins me to talk about OSDFCon. The DFIR community relies on open source tools and the conference is a great way to get exposure to new tools and to learn how to use them. There's a great lineup this year with something for everyone. Registration is free for everyone.
11/23/202122 minutes, 21 seconds
Episode Artwork

DFSP # 300 - Case Study Ocean Lotus

This week is a case study where we look at an actual attack strategy and compared it against standard triage methods to see how well they hold up. In this episode I break down some attack methods attributed to APT32, also known as Ocean Lotus, and we’ll see how standard triage techniques hold up against the attack chain. 
11/16/202120 minutes, 37 seconds
Episode Artwork

DFSP # 299 - Malicious Powershell with Blumira

Amanda Berlin of Blumira speaks on malicious Powershell attacks and defense techniques.
11/9/202120 minutes, 7 seconds
Episode Artwork

DFSP # 298 - Mac Forensics with SUMURI

This week SUMURI's Steve Whalen (a.k.a. 'MacBoy') talks Mac forensics.
11/2/202132 minutes, 20 seconds
Episode Artwork

DFSP # 297 - Nested Groups

This week I’m talking about Nested Groups and the risk they pose for security. Built-in to the functionality of Active Directory is the ability to attach a group to another group. While this has advantages for account administration across an organization, it also offers attackers opportunity if certain precautions are not taken. This week I’ll break down Nested Groups in DFIR terms, talk about how attackers take advantage of it and what analysts need to know for investigations.
10/26/202110 minutes, 38 seconds
Episode Artwork

DFSP # 296 - Case Study Turla-Comrat

This week is a case study where we look at an actual attack strategy and compared it against standard triage methods to see how well they hold up. The Turla group using ComRat malware is our case example, let’s see if standard triage techniques can save the day.
10/19/202119 minutes, 30 seconds
Episode Artwork

DFSP # 295 - Ransomware with Blumira

Matt Warner, Blumira CTO and Co-Founder, talks ransomware investigations.
10/12/202132 minutes, 21 seconds
Episode Artwork

DFSP # 294 - CSA Cloud Threats 7

This week is a continuation of the threats to cloud computing miniseries. We are stepping through the top 11 threats to cloud computing as identified by the Cloud Security alliance. When you are protecting cloud assets or investigating breaches of cloud assets, there is a lot to keep in mind. You must remember the standard security infrastructure, the new cloud infrastructure as well as any changes to the standard infrastructure that could be affected for your investigation. The top 11 threats to cloud computing help identify where you, as an analyst, should prioritize your time both as a starting point and how you use your limited time for continuing education. 
10/5/202110 minutes, 14 seconds
Episode Artwork

DFSP # 293 - Case Study: Ransomware

This week is a case study that demonstrates how fundamental DFIR triage methods can detect advanced attacks. Examiners, especially newer examiners, should find confidence in the fact that standard triage techniques have such a powerful impact on security investigations.
9/28/202113 minutes, 30 seconds
Episode Artwork

DFSP # 292 - Top Cloud Threats with Blumira

This week Nato Riley from Blumira pays a visit to talk about the top threats to cloud computing.
9/21/202123 minutes, 26 seconds
Episode Artwork

DFSP # 291 - Lateral MM Fast Triage 3

This week we continue with the Windows fast triage series and talk about lateral movement evidence that may be found in admin shares event records.  Four different types of logs are covered, each containing different information for triage purposes.
9/14/202114 minutes, 8 seconds
Episode Artwork

DFSP # 290 - Mac Training with SUMURI

This week SUMURI's Steve Whalen (a.k.a. 'MacBoy') and Dave Melvin talk about the latest in Mac training and certification. Learn the advantages of vendor neutral training and how to prioritize it in your own training regiment.
9/7/202120 minutes, 44 seconds
Episode Artwork

DFSP # 289 - Framing Root Cause

As an analyst, it is important to identify root cause and link it back to security governance strategies. This is dealt with through root cause statements typically. What exactly should you be doing for a root cause statement? How important is it? If you produce a findings report you can count on the root cause statement being read. Other parts of the document may be skimmed through, or even ignored, but the root cause statement is going to draw the attention of a variety of different audiences. Therefore this is something you want to get right. In this episode I’m going to deliver a simple approach you can use.
8/31/202112 minutes, 3 seconds
Episode Artwork

DFSP # 288 - Max DFIR Impact

Most of my episodes are about computer forensic artifacts and methods. Once in a while I like to cover non-technical topics, such as thoughts and recommendations about career development, subject matter expertise strategies, and impact exposure or delivery of your work. These soft skills are important to your career success. So this week will be on maximizing DFIR exposure in your current role, whatever that role may be. I will cover how to connect the work you do with the high-level strategies that are important to your management or your customers.
8/24/202112 minutes, 3 seconds
Episode Artwork

DFSP # 287 - CSA Cloud Threats 6

This week is a continuation of the threats to cloud computing miniseries. We are stepping through the top 11 threats to cloud computing as identified by the Cloud Security alliance. When you are protecting cloud assets or investigating breaches of cloud assets, there is a lot to keep in mind. You must remember the standard security infrastructure, the new cloud infrastructure as well as any changes to the standard infrastructure that could be affected for your investigation. The top 11 threats to cloud computing help identify where you, as an analyst, should prioritize your time both as a starting point and how you use your limited time for continuing education. 
8/17/202111 minutes, 26 seconds
Episode Artwork

DFSP # 286 - Lateral MM Fast Triage 2 [5145]

This week we continue with the Windows fast triage series. We are up to lateral movement and talking about admin shares. On topic this week is event 5145 which is a Windows log that records verbose information about network share objects and it is an artifact you can use to triage a system or group of systems for evidence of malicious lateral movement. 
8/10/202115 minutes, 16 seconds
Episode Artwork

DFSP # 285 - Linux Malware Triage

This week I wanted to take a break from Windows forensics and talk about Linux malware triage. The Linux platform offers forensic analysts the opportunity to do a very decent job performing malware triage. What I mean by this is that you do not need any special tools installed, all you essentially need is the knowledge of a handful of commands in the ability to make sense of the output. Armed with this, any analyst can do a malware triage quickly and efficiently.
8/3/202120 minutes, 55 seconds
Episode Artwork

DFSP # 284 - Fast Triage case study: non-Windows core processes

This week we’re going to take a look at how standard triage methodology can detect advanced attack techniques. Even as a newer examiners, if you learn the standard triage methods that I have covered in the fast triage series, you will find the skills provide ample opportunity to detect all sorts attack activity-even very advanced attack activity. This is because there are natural chokepoints in the attack chain that can be used to your advantage. This week we are going to see the non-Windows core process triage in action through the lens of a very advanced attack dubbed “operation ghost.”
7/27/202115 minutes, 40 seconds
Episode Artwork

DFSP # 283 - CSA Cloud Threats 5

This week we take another look at the top threats to cloud computing. On tap This week is account hijacking. All analysts working in the DFIR field today must be aware of threats to cloud computing in order to be effective in their roles. 
7/20/202110 minutes, 19 seconds
Episode Artwork

DFSP # 282 - Lateral MM Fast Triage

This week I talk about lateral movement fast triage. This is the next topic in the Windows fast triage miniseries and it aligns with the goal of the entire series, which is to help new or any analyst identify the most accessible artifacts that may be quickly analyzed to find evidence of compromise. So far we have dealt with persistence, suspicious network activity, and suspicious processes. As always, I will provide a simple yet effective approach to work with lateral movement artifacts.
7/13/202112 minutes, 12 seconds
Episode Artwork

DFSP # 281 - Fast Triage case study: persistence

This week I’m doing another walk-through to illustrate how standard triage methodology can detect advanced attack techniques. Sometimes as a newer examiner, it’s easy to become overwhelmed with the technical detail necessary to understand and attack. It’s also easy to become discouraged and convince yourself that it’s way too complicated for your current skill set and you may not even feel useful as a team member. This episode is going to dispel all of that and show you how a focus on the standard fast triage method provides all the knowledge you need to detect and advanced breach into an environment.
7/6/202112 minutes, 34 seconds
Episode Artwork

DFSP # 280 - Malware Fast Triage

This week I’m covering malware fast triage. It occurred to me that I should revisit this issue for a couple of different reasons. I remember covering this many years ago and I believe that’s why I haven’t thought about doing anything on it lately. However, it does go hand-in-hand with the Windows fast triage series that I am doing. Part of that strategy is to look for “common malware patterns.” In an effort to maximize what the listeners get from the episodes I figured this topic definitely needs to be revisited so that when I use that term, you are at least clear on what I mean by it and the method it represents.
6/29/202117 minutes, 55 seconds
Episode Artwork

DFSP # 279 - CSA Cloud Threats 4

This week is about the top threats to cloud computing.
6/22/202114 minutes, 15 seconds
Episode Artwork

DFSP # 278 - Process Triage & CMD

This week is a continuation of the Windows fast triage miniseries. While other aspects of the triage miniseries had fairly contained artifacts to examine, new process triage presents a large and complex landscape to the analyst. I have already broken down a number of effective analysis methods to make this more manageable. This week I focus on key applications to look for during a review. These applications tend to be associated more with malicious activity, at least according to threat intelligence research, so being aware of them and recognizing the potential is important. I also spend some time talking about the nuances of CMD.
6/15/202117 minutes, 30 seconds
Episode Artwork

DFSP # 277 - Learning from the Red Team II

A while back I did an episode on “learning from the red team” which focused on methods blue team members can utilize to better understand attacks and the artifacts affected by those attacks. One of the advantages of this method that I did not mention in that episode was how to use open source vulnerability scanners for the same purpose. This week, will be part two and I will go over freely available resources and the method to help you gain better insight into forensic artifacts.
6/8/202110 minutes, 57 seconds
Episode Artwork

DFSP # 276 - CVSS Fast Analysis

This week is about how size up a reported vulnerability quickly.
6/1/202115 minutes, 29 seconds
Episode Artwork

DFSP # 275 - dotNET

This week I tackle .NET. It is an ecosystem that is associated with malicious Powershell activity.
5/25/20219 minutes, 9 seconds
Episode Artwork

DFSP # 274 - Powershell Revisited

This week I revisited powershell from a process fast triage context.
5/18/202117 minutes, 39 seconds
Episode Artwork

DFSP # 273 - CSA Cloud Threats 3

This week is about the top threats to cloud computing.
5/11/202112 minutes, 47 seconds
Episode Artwork

DFSP # 272 - 4688

This week I continue with the fast triage method for processes with a focus on historical records.
5/4/202116 minutes, 6 seconds
Episode Artwork

DFSP # 271 - DREAD and STRIDE

This week I cover threat modeling from a DFIR point-of-view. It provides a standard framework to classify and rate the severity of vulnerabilities discovered during investigations.
4/27/202113 minutes, 53 seconds
Episode Artwork

DFSP # 270 - CAPEC

This week I run through a threat intel resource you may use for standardized attack information.
4/20/202111 minutes, 32 seconds
Episode Artwork

DFSP # 269 - Svchost Revisited

This week I revisit Svchost and the triage methods to apply.
4/13/202118 minutes, 7 seconds
Episode Artwork

DFSP # 268 - CSA Cloud Threats 2

This week is about the top threats to cloud computing.
4/6/202119 minutes, 6 seconds
Episode Artwork

DFSP # 267 - Sunscreen

This week is a case study that demonstrates the power behind IR fundamental methodology.
3/30/202114 minutes, 31 seconds
Episode Artwork

DFSP # 266 - Windows non-core processes

This week I continue with the fast triage method for processes with a focus on, well, everything else!
3/23/202118 minutes, 23 seconds
Episode Artwork

DFSP # 265 - CSA Cloud Threats 1

This week is about the top threats to cloud computing.
3/16/202119 minutes, 55 seconds
Episode Artwork

DFSP # 264 - Golden SAML

This week is about preparing for Golden SAML attacks for both Incident Response and Threat Hunting.
3/9/202112 minutes, 37 seconds
Episode Artwork

DFSP # 263 - Threat Hunt with Statistics

This week is about applying basic statistical analysis to threat hunting. The results are effective!
3/2/202125 minutes, 59 seconds
Episode Artwork

DFSP # 262 - Security Theatre

This week is about theatrics in security and how to avoid the trap.
2/23/202117 minutes, 51 seconds
Episode Artwork

DFSP # 261 - Wincore Processes Revisited part 2

This week I revisit Windows Core Processes and the triage methods to apply to them.
2/16/202115 minutes, 12 seconds
Episode Artwork

DFSP # 260 - Learn from the Red Team

This week I talk about vulnhub, a free resource to practice ethical hacking skills and sharpen your DFIR skills.
2/9/202114 minutes, 43 seconds
Episode Artwork

DFSP # 259 - Wincore Processes Revisited part 1

This week I revisit Windows Core Processes and the triage methods to apply to them.
2/2/202120 minutes, 19 seconds
Episode Artwork

DFSP # 258 - Network Triage Part 4

This week is the fourth part of the Network-Fast-Triage mini-series. In this installation I cover triage techniques for Windows event logs that record blocked network activity.
1/26/202115 minutes
Episode Artwork

DFSP # 257 - Supply Chain Attacks

This week is about supply chain security posture from a DFIR point-of-view.
1/19/202117 minutes, 13 seconds
Episode Artwork

DFSP # 256 - Kernel Process Masquerading

This week I go over a method to detect kernel process masquerading on Linux systems.
1/12/20219 minutes, 4 seconds
Episode Artwork

DFSP # 255 - The Worship of Intelligence in Tech

This week I interview author Shawn Livermore about the myth of the "tech-genius."
1/5/202125 minutes, 49 seconds
Episode Artwork

DFSP # 254 - Network Triage Part 3

This week is the third part of the Network-Fast-Triage mini-series. In this installation I cover triage techniques for Windows event logs that record network port-binding.
12/29/202016 minutes, 41 seconds
Episode Artwork

DFSP # 253 - Network Triage Part 2

This week is the second part of the Network-Fast-Triage mini-series. In this installation I cover triage techniques for Windows event logs that record network connections.
12/22/202015 minutes, 1 second
Episode Artwork

DFSP # 252 - Werfault

This week I cover triage techniques for werfault.exe. The process does not have the best documentation which makes it a challenge to triage.
12/15/202014 minutes, 42 seconds
Episode Artwork

DFSP # 251 - The Rise of Crypto SIM Swapping

This week I interview Haseeb Awan, CEO of EFANI, about the rise of SIM swapping attacks. Haseeb explains the attack, how attackers carry it out, and provides some mitigation strategies.
12/8/202032 minutes, 14 seconds
Episode Artwork

DFSP # 250 - Network Triage Part 1

This week is the first part of the Network-Fast-Triage mini-series. The first installation is the network investigation primer.
12/1/202014 minutes, 52 seconds
Episode Artwork

DFSP # 249 - Linux Fileless Attacks

This week I go over a method to detect fileless malware on Linux systems.
11/24/202015 minutes, 34 seconds
Episode Artwork

DFSP # 248 - Searchsploit

This week I talk utilizing the ExploitDB for DFIR investigations. Searchsploit is a command line search tool for Exploit-DB that allows you the power to perform detailed off-line searches through your locally checked-out copy of the repository. This capability is particularly useful for security assessments on segregated or air-gapped networks without Internet access.
11/17/202018 minutes, 20 seconds
Episode Artwork

DFSP # 247 - Startup Locations

This week is the last part of the Persistence-Fast-Triage mini-series. The final installation covers Windows startup locations.
11/10/202014 minutes, 34 seconds
Episode Artwork

DFSP # 246 - Investigation Lifecycle

This week I talk about the IR Investigation Lifecycle, or, the elements included within the incident handling process to ensure a complete investigation.
11/3/202017 minutes, 24 seconds
Episode Artwork

DFSP # 245 - Fetch and Execute

This week I talk about the use of RUNDLL32 to exploit information files (.INF) to "fetch and execute" malware.
10/27/202016 minutes, 5 seconds
Episode Artwork

DFSP # 244 - Registry Persistence Part 3

This week is part 3 of examining the Windows Registry for evidence of persistence and the focus is on Windows Registry Modification Event Records.
10/20/202020 minutes, 31 seconds
Episode Artwork

DFSP # 243 - Stomping the Clock

This week I talk about detecting time stomping on Windows and Linux systems.
10/13/202015 minutes, 35 seconds
Episode Artwork

DFSP # 242 - Registry Persistence Part 2

This week I talk about examining the Windows Registry for evidence of persistence.
10/6/202019 minutes, 49 seconds
Episode Artwork

DFSP # 241 - Forensic Hardware

This week I interview JASON ROSLEWICZ of SUMURI about the hardware that drives your forensics system.
9/29/202027 minutes, 20 seconds
Episode Artwork

DFSP # 240 - MDM

This week is part 3 of the Mobile Attack series.
9/22/202019 minutes, 42 seconds
Episode Artwork

DFSP # 239 - Registry Persistence Part 1

This week I talk about examining the Windows Registry for evidence of persistence.
9/15/202017 minutes, 34 seconds
Episode Artwork

DFSP # 238 - Bash Attacks

This week I talk about the use of Bash commands in crypto-mining attacks.
9/8/202015 minutes, 28 seconds
Episode Artwork

DFSP # 237 - Attack Shimming

This week I talk about detecting persistence via Attack Shimming artifacts.
9/1/202012 minutes, 53 seconds
Episode Artwork

DFSP # 236 - Apple FSEvents

This week I interview Steve Whalen of SUMURI about Apple FSEvent artifacts. Learn what they are and how to leverage them for investigations.
8/25/202022 minutes, 31 seconds
Episode Artwork

DFSP # 235 - Scheduled Task Change

This week I talk about examining Windows Scheduled Task change events for evidence of persistence.
8/18/202017 minutes, 51 seconds
Episode Artwork

DFSP # 234 - Divide & Conquer with Brian Carrier

This week I interview Brian Carrier, SVP & CTO of Basis Technology about his "Divide & Conquer" approach to DFIR investigations.
8/11/202021 minutes, 11 seconds
Episode Artwork

DFSP # 233 - New Scheduled Tasks

This week I talk about examining Windows New Scheduled Task events for evidence of persistence.
8/4/202021 minutes, 44 seconds
Episode Artwork

DFSP # 232 - Exam Process - Soup-to-Nuts

This week Chris of MSAB shares his recommended process for DFIR exam standardization.
7/28/202032 minutes, 53 seconds
Episode Artwork

DFSP # 231 - Service Change Triage

This week I talk about examining Windows Service modification events for evidence of persistence.
7/21/202018 minutes, 28 seconds
Episode Artwork

DFSP # 230 - User Activity Artifacts

This week I talk about the artifacts and methodology for examining user activity on Windows systems.
7/14/202021 minutes, 38 seconds
Episode Artwork

DFSP # 229 - Mobile Attacks Part 2

This week is part 2 of the Mobile Attack series.
7/7/202020 minutes, 13 seconds
Episode Artwork

DFSP # 228 - Psychology of Reporting

This week I interview Steve Whalen of SUMURI and we talk about effective ways to report forensic findings.
6/30/202023 minutes, 28 seconds
Episode Artwork

DFSP # 227 - New Service Triage

This week I talk about examining Windows systems for evidence of persistence.
6/23/202013 minutes, 48 seconds
Episode Artwork

DFSP # 226 - User Logons

This week I talk about a triage methodology for examining user activity.
6/16/202016 minutes, 41 seconds
Episode Artwork

DFSP # 225 - Mobile Device Attacks

This week I talk about mobile device compromise.
6/9/202016 minutes, 48 seconds
Episode Artwork

DFSP # 224 - Conhost Forensics

This week I talk about examining Conhost data for evidence of execution.
6/2/202021 minutes, 2 seconds
Episode Artwork

DFSP # 223 - Apple Meta

This week I interview Steve Whalen of SUMURI about Apple metadata.
5/26/202028 minutes
Episode Artwork

DFSP # 222 - User Enumeration

This week I talk about a triage methodology for examining suspicious user accounts.
5/19/202012 minutes, 13 seconds
Episode Artwork

DFSP # 221 - Mobile Device Security

This week I talk about mobile device operating system and file system security, focusing specifically on applications.
5/12/202014 minutes, 57 seconds
Episode Artwork

DFSP # 220 - Mobile Forensics For New Investigators

This week I interview MSAB instructor Chris Currier about mobile forensics for new examiners.
5/5/202035 minutes, 21 seconds
Episode Artwork

DFSP # 219 - Forensic Grab Bag

This week I talk about persistence, malware analysis and identifying system owners.
4/28/202017 minutes, 39 seconds
Episode Artwork

DFSP # 218 - Plaso & Elk Timelines

This week I talk about SOF-ELK to take your timelines to a new level
4/21/202013 minutes, 57 seconds
Episode Artwork

DFSP # 217 - Static Malware Analysis

This week I talk about CFF Explorer.
4/14/202012 minutes, 25 seconds
Episode Artwork

DFSP # 216 - DHASH

This week I talk with MSAB about DHASH, learn what it is and its use in DFIR investigations
4/7/202015 minutes, 4 seconds
Episode Artwork

DFSP # 215 - CMSTP Forensics

This week I cover triaging CMSTP for remote execution
3/31/202014 minutes, 57 seconds
Episode Artwork

DFSP # 214 - CyberChef

This week I explain why you need CyberChef in your toolbox
3/24/202020 minutes, 24 seconds
Episode Artwork

DFSP # 213 - Trusted Developer Utilities

This week I talk DFIR triage for Microsoft Trusted Dev Utilities
3/17/202014 minutes, 58 seconds
Episode Artwork

DFSP # 212 - Learning Python

This week I review resources aimed at teaching you Python
3/10/202014 minutes, 54 seconds
Episode Artwork

DFSP # 211 - Mac Forensics with Steve Whalen

This week I interview Steve Whalen from SUMURI about the current Mac Forensic landscape
3/3/202033 minutes, 25 seconds
Episode Artwork

DFSP # 210 - Pivot Tables for Forensics

This week I talk about Pivot Tables and their value for DFIR investigations
2/25/202018 minutes, 26 seconds
Episode Artwork

DFSP # 209 - Mac Autoruns

This week I talk about common autorun locations to check during Mac exams
2/18/202013 minutes, 45 seconds
Episode Artwork

DFSP # 208 - Persistence Fast Triage

This week I talk about a fast triage methodology to detect persistence on Windows systems
2/11/202019 minutes, 12 seconds
Episode Artwork

DFSP # 207 - Forensic Grab Bag

This week I talk about tools available on the SIFT workstation... that you may not know or even there!
2/4/202017 minutes, 33 seconds
Episode Artwork

DFSP # 206 - Certutil Abuse

This week I talk breakdown certutil exploitation; what it is and methods to detect malicious usage
1/28/202016 minutes, 42 seconds
Episode Artwork

DFSP # 205 - Layered Drivers

This week I talk about using layered drivers as an artifact to identify persistence
1/21/202010 minutes, 38 seconds
Episode Artwork

DFSP # 204 - SOF ELK

This week I talk about SOF ELK, a freely available pre-built virtual appliance for DFIR work
1/14/202013 minutes, 5 seconds
Episode Artwork

DFSP # 203 - Profile of a modern analyst

This week I start the year with my traditional "back-to-basics" episode, focusing on self-improvement themes and goals to consider
1/7/202016 minutes, 54 seconds
Episode Artwork

DFSP # 202 - Base64 Forensics

This week I talk about dealing with Base64 evidence.
12/31/201913 minutes, 5 seconds
Episode Artwork

DFSP # 201 - Regsvcs Triage

This week I talk about identifying REGSVC \ REGASM abuse
12/24/201912 minutes, 37 seconds
Episode Artwork

DFSP # 200 - Audit Log Clearing

This week I talk about different types of audit log clearing and detection strategies
12/17/201916 minutes, 29 seconds
Episode Artwork

DFSP # 199 - Hashdeep

This week I talk about using Hashdeep for forensic triage
12/10/201916 minutes, 6 seconds
Episode Artwork

DFSP # 198 - Linux Malware Detect

This week I talk about LMD, an openly available tool to increase Linux security posture.
12/3/201911 minutes, 45 seconds
Episode Artwork

DFSP # 197 - Approaching Network Forensics

This week I talk about network forensic methodology.
11/26/201921 minutes, 56 seconds
Episode Artwork

DFSP # 196 - autoLLR

This week I talk about autoLLR, a script to automate evidence collection on live Linux systems as well as artifact post processing.
11/19/201914 minutes, 55 seconds
Episode Artwork

DFSP # 195 – BAM!

This week I talk about the Windows Background Activity Monitor, an artifact that may be used to find evidence of execution.
11/15/201912 minutes, 56 seconds
Episode Artwork

DFSP # 194 - Powershell Collection Tools

This week I talk about some issues surrounding powershell when used as a digital forensic collection tool.
11/5/201914 minutes, 9 seconds
Episode Artwork

DFSP # 193 - LOKI

This week I talk about LOKI, a tool designed to help analyst scan for APT IOCs.
10/29/201915 minutes, 9 seconds
Episode Artwork

DFSP # 192 - KAPE

This week I talk about KAPE, a freely available forensic evidence collection and triage tool.
10/22/201917 minutes, 13 seconds
Episode Artwork

DFSP # 191 - Linux File Systems

This week I talk about the common Linux file systems and what to expect when dealing with different hosts. 
10/15/201912 minutes, 41 seconds
Episode Artwork

DFSP # 190 - Dead Simple Boot Disks

This week I go over how to create a boot disk using the native capability of Ubuntu. You'll never have to rely on third-party tools again!
10/9/201916 minutes, 2 seconds
Episode Artwork

DFSP # 188 - Container Attack Vectors

This week I breakdown container attack vectors for Cloud Incident Response.
10/1/201922 minutes, 42 seconds
Episode Artwork

DFSP # 187 - SUDOERS File and Forensics

This week I breakdown the SUDOERS file for forensic triage.
10/1/201914 minutes, 45 seconds
Episode Artwork

DFSP # 186 - Powershell Forensics

This week I talk about Powershell through the lens of the Service Control Manager.
10/1/201922 minutes, 24 seconds
Episode Artwork

DFSP # 189 - NVMe

This week I talk about NVMe, a data storage technology, from a forensic point of view.
10/1/201915 minutes, 56 seconds
Episode Artwork

DFSP # 185 - Understanding Linux Executables

This week I cover how to approach Linux binaries during investigations.
9/30/201917 minutes, 53 seconds
Episode Artwork

DFSP # 184 - Cloud Incident Response

This week I continue the series about the DFIR changes on the horizon with cloud technology and focus on AWS EC2 forensics.
8/27/201919 minutes, 43 seconds
Episode Artwork

DFSP # 183 - WMI Forensics

This week I talk about using WMI to create processes remotely.
8/20/201922 minutes, 3 seconds
Episode Artwork

DFSP # 182 - Density Scout

This week I talk about Density Scout, an open source tool for malware triage.
8/13/201910 minutes, 56 seconds
Episode Artwork

DFSP # 181 - Remote Execution One-Liners

This week I cover a resource you can use to develop windows remote execution triage methodology and threat hunting.
8/6/201915 minutes, 46 seconds
Episode Artwork

DFSP # 180 - Credential Guard

This week I talk about the Windows credential guard process.
7/30/201910 minutes, 7 seconds
Episode Artwork

DFSP # 179 - OWASP: Insufficient logging and monitoring

This week I talk about OWASP's Number 10 vulnerability category from their top 10 list, insufficient logging and monitoring.
7/23/201917 minutes, 9 seconds
Episode Artwork

DFSP # 178 - Attacker Recon Commands

This week I talk about the most frequently seen attacker recon commands.
7/16/201918 minutes, 56 seconds
Episode Artwork

DFSP # 177 - PSEXEC Forensics

This week I talk about a popular Windows utility attackers often exploit.
7/9/201917 minutes, 53 seconds
Episode Artwork

DFSP # 176 - Cloud Incident Response

This week I talk about incident response in container deployments.
7/2/201917 minutes, 55 seconds
Episode Artwork

DFSP # 175 - OWASP: Components with Known Vulnerabilities

This week I talk about OWASP's Number 9 vulnerability category from their top 10 list, components with known vulnerabilities.
6/25/201910 minutes, 50 seconds
Episode Artwork

DFSP # 174 - The VMEM Experience

This week I talk about the challenges of working with VMEM files for memory forensics.
6/18/201910 minutes, 16 seconds
Episode Artwork

DFSP # 173 - Cloud Incident Response

This week I talk about the DFIR changes on the horizon with cloud technology.
6/11/201915 minutes
Episode Artwork

DFSP # 172 - High Optane

This week I talk about Intel's emerging technology called Optane end it anticipated affects on DFIR investigations.
6/4/201911 minutes, 58 seconds
Episode Artwork

DFSP # 171 - OWASP: Breakfast Cereal

This week I talk about OWASP's Number 8 vulnerability category from their top 10 list, insecure deserialization.
5/28/201913 minutes, 53 seconds
Episode Artwork

DFSP # 170 - The Crypto-Landscape

This week I talk about the crypto attack landscape.
5/21/201919 minutes, 33 seconds
Episode Artwork

DFSP # 169 - Will The Future Kill DFIR?

DFIR are professionals often worry if advances in artificial intelligence and automation are going to put them out of work. This week I address the issue and give my projection, based on expert sources, of what the future of forensics will look like.
5/14/201924 minutes, 57 seconds
Episode Artwork

DFSP # 168 - Is CEH Still Relevant?

I recently passed my certified ethical hacker certification test. This week I thought I would talk about why I chose the certification.
5/7/201915 minutes, 52 seconds
Episode Artwork

DFSP # 167 - OWASP: XSS

This week I talk about OWASP's Number 7 vulnerability category from their top 10 list, cross site scripting.
4/30/201916 minutes, 57 seconds
Episode Artwork

DFSP # 166 - SVCHOST Abuse

This week I talk about SVCHOST. This Windows core process is one of the most targeted artifacts that comes up again and again during investigations.
4/23/201913 minutes, 45 seconds
Episode Artwork

DFSP # 165 - Windows Core Processes

This week I go over how to approach windows core processes from the standpoint of fast triage methodology. Since these processes are found on all window systems it makes sense to develop and investigative approach that focuses on quickly reviewing each process for anomalies.
4/16/201915 minutes, 25 seconds
Episode Artwork

DFSP # 164 - Mobile Device Compromise Assessment

This week I talk about the investigative value of creating a mobile compromise assessment strategy.
4/9/201919 minutes, 8 seconds
Episode Artwork

DFSP # 163 - DFIR Job Interviews

This week I share my thoughts on DFIR job interviews. How to prepare. Things to consider. Pitfalls to avoid.
4/2/201921 minutes, 27 seconds
Episode Artwork

DFSP # 162 - OWASP: Security Misconfigurations

This week I talk about OWASP's Number 6 vulnerability category from their top 10 list, Security Misconfiguration. I explore the issue from a DFIR point of view.
3/26/201916 minutes, 5 seconds
Episode Artwork

DFSP # 161 - Social Engineering Toolkit

This week I talk about all the fun you can have ethically hacking with SET
3/19/201917 minutes, 22 seconds
Episode Artwork

DFSP # 160 - Serpico

Serpico makes report writing suck less! Check it out.
3/12/201919 minutes, 32 seconds
Episode Artwork

DFSP # 159 - Linux Triage

This week I talk more about Linux triage methods.
3/5/201923 minutes, 13 seconds
Episode Artwork

DFSP # 158 - OWASP: Broken Access Control

This week I talk about OWASP's Number 5 vulnerability category from their top 10 list, Broken Access Control. I explore the issue from a DFIR point of view.
2/26/201913 minutes, 57 seconds
Episode Artwork

DFSP # 157 - File Comparison Strategies

This week I discuss some techniques for comparing files and folders for DFIR investigations.
2/19/201919 minutes, 6 seconds
Episode Artwork

DFSP # 156 - B2B: Career Maintenance

This week I share my thoughts on assessing DFIR career path progression.
2/12/201928 minutes, 7 seconds
Episode Artwork

DFSP # 155 - YARA Almighty

This week I talk about the forensic value of YARA.
2/5/201920 minutes, 59 seconds
Episode Artwork

DFSP # 154 - OWASP: XXE

This week I talk about OWASP's Number 4 vulnerability category from their top 10 list, XXE attacks. I explore the issue from a DFIR point of view.
1/29/201911 minutes, 17 seconds
Episode Artwork

DFSP # 153 - Google Dorks

This week I talk about the Google Hacking Database.
1/22/201910 minutes, 35 seconds
Episode Artwork

DFSP # 152 - CEWL

This week I talk about CEWL, a freely available tool for crawling websites to produce unique wordlists (think password attacks!)
1/15/201912 minutes, 10 seconds
Episode Artwork

DFSP # 151 - Autoweb Project

This week I talk about my new Github page and the autoweb script.
1/8/201916 minutes, 14 seconds
Episode Artwork

DFSP # 150 - AppLocker Bypass

This week I talk about Applocker Bypass from a DFIR point of view.
1/3/201913 minutes, 5 seconds
Episode Artwork

DFSP # 149 - OWASP: Sensitive Data Exposure

This week I talk about OWASP's Number 3 vulnerability category from their top 10 list, sensitive data exposure. I explore the issue from a DFIR point of view.
12/27/201818 minutes, 2 seconds
Episode Artwork

DFSP # 148 - Threat Hunting Tips

This week I talk about tips for building a threat hunting program.
12/18/201834 minutes, 17 seconds
Episode Artwork

DFSP # 147 - Webshell Breakdown

This week I break down webshells for threat hunting and incident response triage.
12/11/201819 minutes, 26 seconds
Episode Artwork

DFSP # 146 - Mimikatz Detection

This week I talk about contacting Mimikatz through windows event log.
12/4/201816 minutes, 1 second
Episode Artwork

DFSP # 145 - PDF Forensics

This week I talk about PDF analysis tools to check for malicious indictors in PDFs.
11/27/201813 minutes, 44 seconds
Episode Artwork

DFSP # 144 - OWASP: Broken Authentication

This week I talk about OWASP and why you should be paying attention.
11/20/201815 minutes, 22 seconds
Episode Artwork

DFSP # 143 - Tips from the Trenches

Tips from the DFIR Trenches
11/13/201813 minutes, 39 seconds
Episode Artwork

DFSP # 142 - CRON 101

This week I breakdown CRON for the uninitiated.
11/6/201812 minutes, 44 seconds
Episode Artwork

DFSP # 141 - Logon Triage

This week I talk about investigation strategies for logon events.
10/30/201812 minutes, 38 seconds
Episode Artwork

DFSP # 140 - PCAP Hunting

This week I talk about PCAP hunting strategies.
10/23/201818 minutes, 20 seconds
Episode Artwork

DFSP # 139 - Linux Crypto-Mining Malware Tactics

This week I interview Craig Rowland of Sandfly Security about crypto-mining attacks on Linux systems. Learn more about Sandfly at https://www.sandflysecurity.com
10/16/201833 minutes, 12 seconds
Episode Artwork

DFSP # 138 - OWASP Top 10

This week I talk about OWASP and why you should be paying attention.
10/9/201819 minutes, 45 seconds
Episode Artwork

DFSP # 137 - Fast Flux

This week I talk about the attack methodology known as Fast Flux.
10/2/201814 minutes, 20 seconds
Episode Artwork

DFSP # 136 - Scheduled Task Triage Part 2

This week I talk about details about what to look at in Scheduled Task records for forensic triage.
9/25/201814 minutes, 6 seconds
Episode Artwork

DFSP # 135 - Scheduled Task Triage Part 1

This week I talk about details about what to look at in Scheduled Task records for forensic triage.
9/18/201813 minutes, 25 seconds
Episode Artwork

DFSP # 134 -OfficeMalScanner

This week I talk OfficeMalScanner, a malware scanner for Microsoft document
9/11/201817 minutes, 21 seconds
Episode Artwork

DFSP # 133 - Know Thy Logs

This week I talk Ultimate windows security
9/4/201817 minutes, 4 seconds
Episode Artwork

DFSP # 132 - Root Cause

This week I talk about methodologies to investigate root cause during incident response investigations.
8/28/201818 minutes, 19 seconds
Episode Artwork

DFSP # 131 - PIDS

This week I talk about PIDS in their uses and computer forensic investigations.
8/21/201821 minutes, 27 seconds
Episode Artwork

DFSP # 130 - Network Scoping

This week I talk about scoping network connections as part of incident response triage
8/14/201817 minutes, 27 seconds
Episode Artwork

DFSP # 129 - Excel Fu for Frequency Analysis

This week I talk more excel fu tips
8/7/201820 minutes, 9 seconds
Episode Artwork

DFSP # 128 - GREP vs SED vs AWK

This week I talk the difference between common text processing utilities used in forensic analysis
7/31/201817 minutes, 31 seconds
Episode Artwork

DFSP # 127 - DNS & Forensics

This week I talk about DNS and forensics
7/24/201820 minutes, 13 seconds
Episode Artwork

DFSP # 126 - Star Grepping

This week I talk about the value of Grep as a forensic skillset
7/17/201826 minutes, 44 seconds
Episode Artwork

DFSP # 125 - Distributed Hash Cracking

This week I talk about distributed password cracking with Hashtopolis for Hashcat
7/10/201819 minutes, 45 seconds
Episode Artwork

DFSP # 124 - iOS USB Restricted Mode

This week I talk about the security changes coming with iOS 11.4
7/3/201820 minutes, 32 seconds
Episode Artwork

DFSP # 123 - IP Triage

This week I talk about IP address and domain triage for computer forensic investigations.
6/26/201822 minutes, 58 seconds
Episode Artwork

DFSP # 122 - ATT&CK Matrix

This week I talk about ATT&CK for Enterprise
6/19/201816 minutes, 51 seconds
Episode Artwork

DFSP # 121 - Adventures in Scripting

This week I talk about getting started in scripting
6/12/201818 minutes, 22 seconds
Episode Artwork

DFSP # 120 - Rita

This week I talk about Rita, a free Threat Hunting Tool from Black Hills Information Security
6/5/201816 minutes, 53 seconds
Episode Artwork

DFSP # 119 - MFT2CSV

This week I review mft2csv
5/29/201821 minutes, 23 seconds
Episode Artwork

DFSP # 118 - .bash_history forensics

This week I talk about Linux triage using the /.bash_history artifact
5/22/201820 minutes, 21 seconds
Episode Artwork

DFSP # 117 - USNJRNL Tool Review

This week I review two tools for extracting and parsing USNJRNL evidence.
5/15/201818 minutes, 13 seconds
Episode Artwork

DFSP # 116 - Automatic Detection of Malware from Memory Analysis

This week I talk about a clever way to leverage Volatility to triage malware on a target system
5/8/201820 minutes, 25 seconds
Episode Artwork

DFSP # 115 - Prefetch Tools

This week I talk about 6 different prefetch tools that are FREE!
5/1/201819 minutes, 27 seconds
Episode Artwork

DFSP # 114 - Go Norse!

This week I talk about keeping up with attack intelligence.
4/24/201812 minutes, 28 seconds
Episode Artwork

DFSP # 113 - Dead Simple Timelines

This week I do a tool review of CYLR and CDQR - perhaps the easiest way to build an awesome timeline
4/17/201816 minutes, 38 seconds
Episode Artwork

DFSP # 112 - Port Forensics?

This week I talk how common ports plays into network forensics.
4/10/201815 minutes, 50 seconds
Episode Artwork

DFSP # 111 - Network Triage

This week I go over some Network Forensic artifacts and what they offer to an investigation.
4/3/201816 minutes, 30 seconds
Episode Artwork

DFSP # 110 - Web Browser Forensics with Foxton

This week I review two freely available forensic tools from Foxton Forensics
3/27/201814 minutes, 24 seconds
Episode Artwork

DFSP # 109 - OLEDump

This week I talk about OLEDump, a malware analysis tool for investigating suspicious macros in MS Office documents
3/20/201817 minutes, 56 seconds
Episode Artwork

DFSP # 108 - Under the Radare

This week I talk about Cutter, a static malware analysis tool by Radare
3/13/201816 minutes, 5 seconds
Episode Artwork

DFSP # 106 - Cryptocurrency 1-2-3

This week I go over an easy way to get set-up to start using crypto-currency to testing \ validation \ and self-training purposes
2/27/201823 minutes, 46 seconds
Episode Artwork

DFSP # 105 - from Zero to JTAG

This week I interview an industry expert about mobile device JTAG and ISP forensics.
2/20/201836 minutes, 56 seconds
Episode Artwork

DFSP # 104 - UserAssist Forensics

This week I talk about the userassist artifact for file use and knowledge investigations.
2/13/201819 minutes, 54 seconds
Episode Artwork

DFSP # 103 - B2B USB Forensics

This week I talk about resolving USB usage back to specific systems and user accounts.
2/6/201813 minutes, 26 seconds
Episode Artwork

DFSP # 102 - B2B Windows Explorer

This week I talk about Windows Explorer evidence.
1/30/201814 minutes, 28 seconds
Episode Artwork

DFSP # 101 - B2B Shellbags

This week I talk about Windows Shellbags.
1/23/201814 minutes, 52 seconds
Episode Artwork

DFSP # 100 - B2B Shimcache

This week I continue the back to basics series with talk on the Windows Shimcache.
1/16/201819 minutes, 52 seconds
Episode Artwork

DFSP # 099 - B2B with Prefetch

This week it's a refresher on the Windows Prefetch, a core Microsoft artifact every examiner should know.
1/9/201828 minutes
Episode Artwork

DFSP # 098 - Back to basics 2018

This week I kick off a revisit of the fundamentals helpful to all new examiners.
1/2/201818 minutes, 40 seconds
Episode Artwork

DFSP # 097 - The Main Event

This week I go over some "go to" Windows Event Logs.
12/26/201722 minutes, 28 seconds
Episode Artwork

DFSP # 096 - OS X Unified Logging

This week I talk about Mac Logs, namely the new Unified Logging in OS X and how this impacts forensic exams.
12/19/201714 minutes, 51 seconds
Episode Artwork

DFSP # 095 - freE-DISCOVERY?

This week I talk about the "built-in" eDiscovery tools for Office 365
12/12/201720 minutes, 41 seconds
Episode Artwork

DFSP # 094 - 31 Flavors of Malware Analyst

This week I break down the different variations of the "malware analyst." Do you qualify as one?
12/5/201718 minutes, 32 seconds
Episode Artwork

DFSP # 093 - Chocolate Peanut Butter Moment

This week I talk about the volatility plug-ins for autopsy that allow you to do memory forensics in the autopsy forensic console.
11/28/201730 minutes, 39 seconds
Episode Artwork

DFSP # 092 - New Apple File System

This week I talk about the new file system released by Apple, APFS, and what it means for forensic examiners.
11/21/201717 minutes, 27 seconds
Episode Artwork

DFSP # 091 - Red Team Field Manual

This week I talk about RTFM, the companion to the blue team field manual that's filled with over 1000 commands for windows and Linux.
11/14/201710 minutes, 48 seconds
Episode Artwork

DFSP # 090 - Microsoft Evaluation Center

This week talk about the Microsoft Evaluation Center, a resource Microsoft office to obtain evaluation versions of operating systems and products.
11/7/201712 minutes, 32 seconds
Episode Artwork

DFSP # 089 - So you want to DFIR?

This week I interview a DFIR practitioner about some of the little known facts about a career in the industry.
10/31/201734 minutes, 59 seconds
Episode Artwork

DFSP # 088 - Perfect Execution

This week I talk about the most popular artifacts to prove application execution
10/24/201712 minutes, 43 seconds
Episode Artwork

DFSP # 087 - DFIR Degrees

This week I interview a DFIR professional about his decision to get a Masters Degree in cyber security.
10/17/201730 minutes, 48 seconds
Episode Artwork

DFSP # 086 - BambiRaptor

This week I review a freely available Windows Live Response collection tool available from BriMor Labs.
10/10/201714 minutes, 39 seconds
Episode Artwork

DFSP # 085 - Leggo my Stego

This week I talk Stego; what it is and what challenges is presents to DFIR professionals.
10/3/201723 minutes, 58 seconds
Episode Artwork

DFSP # 084 - Blue Team Field Manual

This week I review Blue Team Field Manual, a reference guide for DFIR practitioners.
9/26/201725 minutes, 18 seconds
Episode Artwork

DFSP # 083 - cree.py

This week I talk about cree.py, an OSINT tool to profile social media accounts by geolocation.
9/19/201718 minutes, 35 seconds
Episode Artwork

DFSP # 082 - iPhone Forensics on the Cheap

This week I talk how to make a forensic iPhone backup using iTunes and triage of iPhone backup files using free forensic tools.
9/12/201721 minutes, 38 seconds
Episode Artwork

DFSP # 081 - OS X Collector

This week I go over OSX Collector, a freely available tool to collect and preprocess Mac artifacts for DFIR investigations.
9/5/201725 minutes, 33 seconds
Episode Artwork

DFSP # 080 - DFIR Operational Assessment

This week I talk about 4 questions about your DFIR unit from an operations standpoint to identify holes and get a better sense of your investigative capabilities.
8/29/201721 minutes, 33 seconds
Episode Artwork

DFSP # 079 - Thoughts on DASH Forensics

This week I talk about crypto currency 2.0 and feature DASH as the example.
8/22/201719 minutes, 52 seconds
Episode Artwork

DFSP # 078 - Bitcoin Forensics

This week I provide an overview of Bitcoin forensics for examiners new to these investigations.
8/15/201717 minutes, 55 seconds
Episode Artwork

DFSP # 077 - Crypto Currency 101

This week I break down crypto currency concepts for new computer forensic examiners.
8/8/201719 minutes, 35 seconds
Episode Artwork

DFSP # 076 - Strings!

This week I look talk about one of the most versatile tools for forensic triage and analysis - Strings!
8/1/201719 minutes, 57 seconds
Episode Artwork

DFSP # 075 - Capturing Websites as Evidence

This week I look at a methodology of capturing websites as evidence using HTTrack
7/25/201718 minutes, 59 seconds
Episode Artwork

DFSP # 074 - Detecting Lateral Movement

This week I review a document put out by the Japan Computer Emergency Response Team Coordination Center on "Detecting Lateral Movement through Tracking Event Logs."
7/18/201716 minutes, 26 seconds
Episode Artwork

DFSP # 073 - Jump Lists

This week I break down the forensic value of Windows Jump lists.
7/11/201719 minutes, 21 seconds
Episode Artwork

DFSP # 072 - Free Training & Free Beer

This week I talk about how to design your own training programs using low cost\ no cost options.
7/4/201718 minutes, 46 seconds
Episode Artwork

DFSP # 071 - Automated Malware Triage

This week I take a look at online sandboxes for malware analysis.
6/27/201722 minutes, 30 seconds
Episode Artwork

DFSP # 070 - Notepad++

This week I talk a Notepad++, a freely available code editing tool with some great options built in that are useful for inspecting forensic artifacts.
6/20/201718 minutes, 13 seconds
Episode Artwork

DFSP # 069 - Automated Memory Triage

This week I take a look at Redline by Mandiant, a tool that offers automated memory triage and much more.
6/13/201721 minutes, 20 seconds
Episode Artwork

DFSP # 068 - Is Scanning On-Scene Legit?

This week I explore the idea of using scanning tools as part of an on scene triage process in order to find hidden devices and\or to document the systems of the local network.
6/6/201724 minutes, 30 seconds
Episode Artwork

DFSP # 067 - IR A-Z

Looking for the ultimate DFIR checklist? This week I check out a freely available guidebook that, as the name implies, is aimed at addressing all things DFIR related A-Z.
5/30/201718 minutes, 8 seconds
Episode Artwork

DFSP # 066 - Skype Forensics

This week I talk about the Skype artifacts forensic examiners need to be aware of.
5/23/201720 minutes, 21 seconds
Episode Artwork

DFSP # 065 - Is CSA+ Certification right for you?

This week I take a look at CompTia's CSA+ certification and how it fits into a DFIR career.
5/16/201723 minutes, 35 seconds
Episode Artwork

DFSP # 064 - Chrome Forensics

This week it's back to browsers with Chrome Forensics.
5/9/201718 minutes, 28 seconds
Episode Artwork

DFSP # 063 - Bulk Extractor

This week is tool review week featuring Bulk Extractor. This is a great triage tool, lab tool and all around tool to help generate leads for your case.
5/2/201716 minutes, 59 seconds
Episode Artwork

DFSP # 062 - Building a Forensic VM with VirtualBox

This week I take you through some of the "pain points" of using VirtualBox as a forensic machine virtualization platform. VirtualBox is freely available and is a great tool to scale your lab and field systems at a low cost. VirtualBox does not have the "easy" buttons the pay tools have but do not let that stop you. In this episode I talk about the solutions that will have you up and running.
4/25/201720 minutes, 44 seconds
Episode Artwork

DFSP # 061 - Firefox Forensics

This week I talk Firefox forensics and identify the artifacts examiners need to know about.
4/18/201716 minutes, 53 seconds
Episode Artwork

DFSP # 060 - Browsing on the Edge

This week I’m talking about the Windows browser some are still surprised to learn about, MS Edge. Windows 10 comes with two browsers and in this week’s podcast I’m going to go over one of them, MS Edge, and what computer forensic examiners need to know about it.
4/11/201719 minutes, 40 seconds
Episode Artwork

DFSP # 059 - Thumbcache Forensics

This week I talk about surviving Windows Thumbcache forensics. A great source of evidence for File Use & Knowledge investigations.
4/4/201724 minutes, 41 seconds
Episode Artwork

DFSP # 058 - Linux FU&K Artifacts

This week I talk Linux forensics and breakdown some useful artifacts that may generate leads for investigations.
3/28/201723 minutes, 37 seconds
Episode Artwork

DFSP # 057 - Webmail Collections

This week I talk about a methodology to collect webmail using freely available tools as well as the things you must consider before you do so.
3/21/201720 minutes, 3 seconds
Episode Artwork

DFSP # 056 - Surviving Solid State Drives

This week I go over my survival tips for imaging solid state drives (SSDs).
3/14/201715 minutes, 12 seconds
Episode Artwork

DFSP # 055 - Automated Host Intelligence

This week I talk about threat intelligence tool Hostintel by Keith Jones.
3/7/201725 minutes, 40 seconds
Episode Artwork

DFSP # 054 - Surviving the Conference Season

This week I share some thoughts on how to approach DFIR conferences to maximize the experience. There are many to choose from and having an analytical approach may get you exactly what you want for your time and money.
2/28/201715 minutes, 32 seconds
Episode Artwork

DFSP # 053 - Top FU&K Plugins

This week I talk about my favorite Volatility plugins for File Use & Knowledge investigations to get at the volatile evidence most often targeted during a dead box exam.
2/21/201723 minutes, 46 seconds
Episode Artwork

DFSP # 052 - Free Your Mind

This week I talk about FreeMind, a freely available visualization tool that can be used to enhance the computer forensic investigation process.
2/14/201721 minutes, 48 seconds
Episode Artwork

DFSP # 051 - Analyzing PE Signatures

This week I talk about an openly available library and tool repository  all examiners should be aware of as well as a tool by Didier Stevens called "AnalyzePESig" which is perfect for bulk analysis of executables on Windows systems.
2/7/201719 minutes, 18 seconds
Episode Artwork

DFSP # 050 - Virtual Machine Forensics

This week I talk File Use & Knowledge investigations involving virtual machines. This is mainly from a dead-box exam point-of-view.
1/31/201721 minutes, 56 seconds
Episode Artwork

DFSP # 049 - Get your SRUM on!

This week I talk about SRUM, a windows artifact with some significant forensic value for both File Use & Knowledge investigations as well as Incident Response.
1/24/201717 minutes, 56 seconds
Episode Artwork

DFSP # 048 - Evidence Integrity On-Scene

This week I talk about considerations for digital evidence integrity when collection evidence on-scene from a live system.
1/17/201723 minutes, 23 seconds
Episode Artwork

DFSP # 047 - Epoch Time Survival

This week I talk about surviving mobile App timestamps.
1/10/201722 minutes, 5 seconds
Episode Artwork

DFSP # 046 - DFIR New Year

This week I share my thoughts on setting DFIR goals for the coming year. I go over seven points worth focusing on for professional development.
1/3/201731 minutes, 3 seconds
Episode Artwork

DFSP # 045 - RUN DMA

This week I talk DMA (direct memory access) exploits as a technique to bypass passwords of a live system to conduct imaging - with legal authority of course.
12/27/201616 minutes, 54 seconds
Episode Artwork

DFSP # 044 - Automated File Intelligence

This week I talk about a useful automated file intelligence resource for dead box exam as well as IR investigations.
12/20/201624 minutes, 11 seconds
Episode Artwork

DFSP # 043 - Imaging a Mac: Survival Tips

This week I go over survival tips for imaging a Mac.
12/13/201620 minutes, 27 seconds
Episode Artwork

DFSP # 042 - Windows 10 Prefetch

This week I about the format change for Windows 10 Prefetch files as well as a freely available tool to decompress and present .pf file data.
12/6/201617 minutes, 22 seconds
Episode Artwork

DFSP # 041 - Trash Talkin'

This week I'm talking .Trash. I cover the forensic basics of this Mac artifact that examiners need to know.
11/29/201616 minutes, 30 seconds
Episode Artwork

DFSP # 040 - Mac Log Files

This week I talk about Mac Log files that are useful for File Use & Knowledge investigations as well as Incident Response.
11/22/201622 minutes, 31 seconds
Episode Artwork

DFSP # 039 - Apache Weblogs & SDF Announcement

This week I talk about Apache weblogs and a great resource for foundational knowledge at aid newer examiners with forensic analysis. In addition, big news for the SDF series!
11/15/201617 minutes, 52 seconds
Episode Artwork

DFSP # 038 - Finder Sidebar Forensics

This week it's back to Mac forensics with a look at the the Finder Sidebar and it's value for File Use & Knowledge investigations.
11/8/201617 minutes, 37 seconds
Episode Artwork

DFSP # 037 - The DFIRONOMICON

This week I pull back the focus for newer examiners and share some thoughts on creating a system that works for you to organize, and keep readily accessible, all the knowledge you accumulate..... and a few words about Shimcache on Windows 10.
11/1/201628 minutes, 47 seconds
Episode Artwork

DFSP # 036 - iCloud Forensic Evidence

This week I breakdown iCloud forensic artifacts.
10/25/201624 minutes, 35 seconds
Episode Artwork

DFSP # 035 - "Recent" File Listings on a Mac

This week I talk about where to find different listing of different recently accessed files on a Mac as well as how to break out the data for interpretation.
10/18/201623 minutes, 37 seconds
Episode Artwork

DFSP # 034 - Forensic tools for your Mac

This week I go over some of my favorite Mac tools.
10/11/201625 minutes, 52 seconds
Episode Artwork

DFSP # 033 - PLISTS for Mac Triage

This week I talk about some common PLISTS to check as part of an initial system triage.
10/4/201620 minutes, 30 seconds
Episode Artwork

DFSP # 032 - Mac Formats, Libraries & Keychains

This week I talk about common Mac file formats, Libraries and Keychains.
9/27/201619 minutes, 32 seconds
Episode Artwork

DFSP # 031 - Mac User Home Folder

This week I talk about Mac Home Folders to give Mac Examiners an idea of how it is structured and where to look for certain artifacts.
9/20/201618 minutes, 43 seconds
Episode Artwork

DFSP # 030 - OS X Spotlight

This week I talk about OS X's Spotlight feature, a powerful indexing and search engine built into your Mac that may be harnessed for computer forensic purposes.
9/13/201619 minutes, 3 seconds
Episode Artwork

DFSP # 029 - Mac Cooties?!

This week I talk Apple double files and what to make of them during a forensic exam.
9/6/201621 minutes, 19 seconds
Episode Artwork

DFSP # 028 - Microcast

This week I am taking a breather and doing some planning for future topics. If you have a topic you would like to see covered mention it in the show notes. Full episodes will return the first week of September.
8/30/20163 minutes, 20 seconds
Episode Artwork

DFSP # 027 – Mac as a forensic platform

This week I go over some of my top reasons why Macs should be considered as a computer forensic platform.
8/23/201630 minutes, 51 seconds
Episode Artwork

DFSP # 026 - File Juicer

File Juicer is an easy to use data carving tool that runs on OS X. Take most any file, drop it on File Juicer, and watch it spin out embedded image, movie, document files and text. Perfect for on-scene triage, lab work and exploring new file types.
8/16/201617 minutes, 19 seconds
Episode Artwork

DFSP # 025 - RAM Extraction Tools - Part 2

This is part two of RAM extraction tools. Part 1 looked at why RAM extraction is an important part of forensic analysis. In Part 2 the results of a benchmark experiment with four different RAM Extraction tools is discussed: DumpIt, Belkasoft's RAM Capturer, Magnet RAM Capture and the RAM extraction feature in FTK Imager.
8/9/201629 minutes, 39 seconds
Episode Artwork

DFSP # 024 - RAM Extraction Tools - Part 1

This episode is a two-parter looking at RAM extraction tools. Part 1 will take a look at why RAM extraction is an important part of forensic analysis. Part 2 will go over an experiment I did with four different tools: DumpIt, Belkasoft's RAM Capturer, Magnet RAM Capture and the RAM extraction feature in FTK Imager.
8/2/201620 minutes, 44 seconds
Episode Artwork

DFSP # 023 - Battle Royale: FTK vs EnCase vs WinHEX

This week I take a look at three popular computer forensic suites: FTK, Encase and WinHex. I offer my opinion as to the strengths and weaknesses of each.
7/25/201620 minutes, 22 seconds
Episode Artwork

DFSP # 022 - DFIR Certification Planning & Considerations

If you take a look at all the different DFIR certifications that exist today you can easily get overwhelmed. There are so many to choose from it puts meaning to the saying that too many choices is no choice at all. In this episode I take a look at digital forensic certifications from two different vantage points to provide a little guidance to those that may be trying to advance themselves through a certification or two.
7/19/201630 minutes, 23 seconds
Episode Artwork

DFSP # 021 - The Honeynet Project

For those looking to get some real world hands-on experience in DFIR to build up or expand your skill set, check out honeynet.org. The non-profit offers information and challenges to help sharpen your skills.
7/12/201616 minutes, 48 seconds
Episode Artwork

DFSP # 020 - Amcache Forensics - Find Evidence of App Execution

This week I talk about Amcache Forensics, a Windows artifact that collects details about programs that have been run on a given system. This evidence can support malware/ intrusion investigations, file use and knowledge exams and data spoliations inquiries.
7/5/201625 minutes, 15 seconds
Episode Artwork

DFSP # 019 - Password Cracking with Hashcat

The last talk in the Open-Source password cracking series focuses on a tool that rivals the pay tools in function and capability - Hashcat.
6/28/201624 minutes, 1 second
Episode Artwork

DFSP # 018 - John the Ripper

Last episode I talked about using Cain to attack Windows LANMAN and NTLM hashes. Next we will discuss John the Ripper, Linux password files and rainbow tables.
6/20/201624 minutes, 54 seconds
Episode Artwork

DFSP # 017 - Cracking Passwords with Cain

In the last episode I talked about PW psychology, an important part of operationalizing any PW cracking tool effectively. Face it, the math is against you so understanding a person’s probable PW patterns is important. In this episode we will talk about our first tool that can be used against a PW file. First let’s go over some general features you will likely find in a PW cracking tool.
6/13/201623 minutes, 49 seconds
Episode Artwork

DFSP # 0016 - Password Psychology

The next mini series will focus on open source password attack tools. There are some pay options out there, however, most IR teams do not have a need for it and disk forensic teams use if infrequently. Despite this many labs want the capability so it makes sense to explore the open source options first before spending the money. My goal here is talk about these options to provide some insight and to open the series I thought I's talk about password psychology since the weakness link in any password algorithm is usually the person using it.  
6/6/201632 minutes, 45 seconds
Episode Artwork

DFSP # 015 - $UsnJrnl File

The $UsnJrnl is an artifact that logs certain changes to files in NTFS volumes. It is a great source of timeline information for malware\ IR investigations, time stomping concerns and anti-forensics activities (i.e. wiping) as well as an additional source of file use and knowledge evidence for disk forensics.  
5/31/201613 minutes, 39 seconds
Episode Artwork

DFSP # 014 - Shimcache

In this episode I talk Shimcache, otherwise known as the Application Compatibility Cache. This registry key has existed since Windows XP and tracks executable on a system, making it a great source of digital evidence for both disk forensics and incident response cases. In addition, there are freely available tools that will parse the data. It is not a difficult artifact to understand. Once an analyst spends the time learning how to pull, parse and interpret the data it is easily incorporated into an investigation and aligns well with other Windows artifacts.  
5/23/201618 minutes, 10 seconds
Episode Artwork

DFSP # 013 - Windows 10 Artifacts

In this episode I cover something I have been intending to do for some time: a Windows 10 artifacts overview. Here, I explore some key artifacts changes and what has stayed the same. Once I got into it I found there was a lot to talk about so, to start, I will discuss the topics from a high level. In future episodes I will dig in deeper to each artifact.
5/16/201624 minutes, 51 seconds
Episode Artwork

DFSP # 012 - Just-Metadata

This episode I talk Just-Metadata, a freely available tool that gathers data about IP addresses from publicly available resources. Check out Truncer's website to learn more. I put together my quick start notes (below) for anyone interested in getting set up. This tool is very powerful and useful for Incident Response investigations, especially since you can batch upload IP addresses and quickly get useful details.
5/9/201614 minutes, 2 seconds
Episode Artwork

DFSP # 011 - PALADIN

This episode I talk about PALADIN from SUMURI. PALADIN is a modified “live” Linux distribution based on Ubuntu that simplifies various forensics tasks in a forensically sound manner via the PALADIN Toolbox and used by thousands of digital forensic examiners from Law Enforcement, Military, Federal, State and Corporate agencies.
5/2/201624 minutes, 20 seconds
Episode Artwork

DFSP # 010 - Investigation Survival Tips

This episode covers Investigation Survival Tips.... for the new guy. Newer examiners are often thrown into a world where it is there mission to find "everything." Not on that, they are usually given inadequate investigative support to accomplish their assigned goals. I have seen this happen often so I thought I would spend an episode giving some advice on how to steer the conversation to keep expectation realistic and in-check.
4/25/201625 minutes, 51 seconds
Episode Artwork

DFSP #009 - Linux for Computer Forensics

In this episode I cover using Linux as a forensic platform... for the new guy. I find many examiners are very Windows-centric. There is nothing wrong with that as most tools and evidence is Windows based. However, Linux comes in handy from time to time and knowing some basic commands is always helpful.
4/18/201616 minutes, 39 seconds
Episode Artwork

DFSP # 008 - Virtual Machines & Computer Forensics

In this episode I talk all about virtual machines; the reasons you should be using them (more), prebuilt ones that are freely available and loaded with digital forensic tools and a free virtual machine application that has the same functionality you need as the pay tools.
4/11/201622 minutes, 57 seconds
Episode Artwork

DFSP #007 - File Use & Knowledge Wrap Up

In this episode we wrap up the File Use & Knowledge artifacts discussed previously and talk about how they connect to help strengthen a case.
4/4/201629 minutes, 8 seconds
Episode Artwork

DFSP #006 - Resolving Attached USBs

Have you ever been asked to find out what the "F" drive is? Have you ever needed to prove a USB drive was attached to a target system? Collecting and presenting this information is a core skill all computer forensic analysts need know. This episode breaks down the process of collecting and interpreting the data necessary to make the connection between USB device and Windows systems.
3/28/201620 minutes, 41 seconds
Episode Artwork

DFSP #003 - What the Shellbag!

In this episode we examine how to use Windows Shellbag records to help prove file use and knowledge. Shellbag records are created by certain user activity and can be used to show where a user has navigated to on a computer system and when they did so. Very powerful evidence!
3/21/201628 minutes, 28 seconds
Episode Artwork

DFSP #004 - Windows Prefetch

Windows Prefetch data is a great source of evidence to help determine file use and knowledge of applications running on the system.
3/14/201618 minutes, 32 seconds
Episode Artwork

DFSP #003 - Windows Explorer Evidence

Oftentimes you will be asked to find information on a target system that shows if a user accessed certain files, the last time they did and/ or how often they did. Being able to put a picture together that answers these questions can be critical and make or break the case.
2/17/201616 minutes, 35 seconds
Episode Artwork

DFSP #002 - Windows Link Files

Windows LINK files are a great source of information when your aim is proving file use and knowledge during a computer forensic investigation. Knowing how to interpret these files will break reliance on automated tools and give you the versatility to quickly examine - interpret - and gain investigative insight.  
2/15/201625 minutes, 39 seconds
Episode Artwork

DFSP #001: Premiere Episode

Listen to talk about computer forensic analysis, techniques, methodology, tool reviews and more.
2/14/201614 minutes, 52 seconds